CVE-2018-12533
CRITICAL9.8EPSS 79.7%Arbitrary code execution in Richfaces
發布日:2022/5/13修改日:2023/11/8
描述
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
受影響套件(1)
- Maven/org.richfaces:richfaces-core>= 3.1.0, <= 3.3.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-12533
- WEBhttps://access.redhat.com/errata/RHSA-2018:2663
- WEBhttps://access.redhat.com/errata/RHSA-2018:2664
- WEBhttps://access.redhat.com/errata/RHSA-2018:2930
- WEBhttps://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
- WEBhttp://seclists.org/fulldisclosure/2020/Mar/21