Description
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
Affected Software
Related
{"id": "OSV:GHSA-4J38-WJHF-884R", "vendorId": null, "type": "osv", "bulletinFamily": "software", "title": "Arbitrary code execution in Richfaces", "description": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.", "published": "2022-05-13T01:19:02", "modified": "2022-12-13T05:40:33", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://osv.dev/vulnerability/GHSA-4j38-wjhf-884r", "reporter": "Google", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2018-12533", "https://access.redhat.com/errata/RHSA-2018:2663", "https://access.redhat.com/errata/RHSA-2018:2664", "https://access.redhat.com/errata/RHSA-2018:2930", "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html", "http://seclists.org/fulldisclosure/2020/Mar/21"], "cvelist": ["CVE-2018-12533"], "immutableFields": [], "lastseen": "2022-12-13T05:40:34", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-10849", "CVE-2018-12533"]}, {"type": "github", "idList": ["GHSA-4J38-WJHF-884R"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2018-2664.NASL"]}, {"type": "redhat", "idList": ["RHSA-2018:2663", "RHSA-2018:2664", "RHSA-2018:2930"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-12533"]}]}, "score": {"value": 7.7, "vector": "NONE"}, "affected_software": {"major_version": []}, "vulnersScore": 7.7}, "_state": {"dependencies": 1670910148, "score": 1670910191, "affected_software_major_version": 1670913557}, "_internal": {"score_hash": "2f599dc161f0b5f764af83b3f60c94ea"}, "affectedSoftware": [{"version": "4.5.0.Alpha3", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.0.Beta1", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.0.Beta2", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.0.CR1", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.0.CR2", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.0.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.1.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.10.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.11.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.12.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.13.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.14.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.15.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.16.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.17.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.2.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.3.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.4.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.5.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.6.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.7.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.8.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}, {"version": "4.5.9.Final", "operator": "eq", "name": "org.richfaces:richfaces-core"}]}
{"nessus": [{"lastseen": "2023-01-11T14:49:21", "description": "A security update is now available for Red Hat JBoss Enterprise Application Platform from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 5.2 is a platform for Java applications based on jbossas.\n\nThis asynchronous patch is a security update for RichFaces and Apache CXF packages in Red Hat JBoss Enterprise Application Platform 5.2.\n\nSecurity Fix(es) :\n\n* Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource. (CVE-2018-12533)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-10T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 : JBoss EAP (RHSA-2018:2664)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12533"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:richfaces", "p-cpe:/a:redhat:enterprise_linux:richfaces-cdk", "p-cpe:/a:redhat:enterprise_linux:richfaces-demo", "p-cpe:/a:redhat:enterprise_linux:richfaces-docs", "p-cpe:/a:redhat:enterprise_linux:richfaces-framework", "p-cpe:/a:redhat:enterprise_linux:richfaces-root", "p-cpe:/a:redhat:enterprise_linux:richfaces-ui", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2018-2664.NASL", "href": "https://www.tenable.com/plugins/nessus/117398", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:2664. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117398);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/10/24 15:35:45\");\n\n script_cve_id(\"CVE-2018-12533\");\n script_xref(name:\"RHSA\", value:\"2018:2664\");\n\n script_name(english:\"RHEL 5 / 6 : JBoss EAP (RHSA-2018:2664)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security update is now available for Red Hat JBoss Enterprise\nApplication Platform from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 5.2 is a platform for\nJava applications based on jbossas.\n\nThis asynchronous patch is a security update for RichFaces and Apache\nCXF packages in Red Hat JBoss Enterprise Application Platform 5.2.\n\nSecurity Fix(es) :\n\n* Injection of arbitrary EL expressions allows remote code execution\nvia org.richfaces.renderkit.html.Paint2DResource. (CVE-2018-12533)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-us/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:2664\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-12533\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:richfaces\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:richfaces-cdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:richfaces-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:richfaces-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:richfaces-framework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:richfaces-root\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:richfaces-ui\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:2664\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbossas-welcome-content-eap\") || rpm_exists(release:\"RHEL6\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"richfaces-3.3.1-7.SP3_patch_02.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"richfaces-cdk-3.3.1-7.SP3_patch_02.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"richfaces-demo-3.3.1-7.SP3_patch_02.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"richfaces-docs-3.3.1-7.SP3_patch_02.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"richfaces-framework-3.3.1-7.SP3_patch_02.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"richfaces-root-3.3.1-7.SP3_patch_02.ep5.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"richfaces-ui-3.3.1-7.SP3_patch_02.ep5.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"richfaces-3.3.1-4.SP3_patch_02.ep5.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"richfaces-demo-3.3.1-4.SP3_patch_02.ep5.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"richfaces-framework-3.3.1-4.SP3_patch_02.ep5.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"richfaces-root-3.3.1-4.SP3_patch_02.ep5.el6_10\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"richfaces-ui-3.3.1-4.SP3_patch_02.ep5.el6_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"richfaces / richfaces-cdk / richfaces-demo / richfaces-docs / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2022-12-08T02:25:52", "description": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-25T02:19:42", "type": "redhatcve", "title": "CVE-2018-12533", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12533"], "modified": "2022-12-07T23:52:25", "id": "RH:CVE-2018-12533", "href": "https://access.redhat.com/security/cve/cve-2018-12533", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2021-10-19T20:37:38", "description": "Red Hat JBoss Enterprise Application Platform 5.2 is a platform for Java\napplications based on jbossas.\n\nThis asynchronous patch is a security update for RichFaces and Apache CXF packages in Red Hat JBoss Enterprise Application Platform 5.2.\n\nSecurity Fix(es):\n\n* Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource. (CVE-2018-12533)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-10T14:42:21", "type": "redhat", "title": "(RHSA-2018:2663) Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12533"], "modified": "2018-09-10T14:42:41", "id": "RHSA-2018:2663", "href": "https://access.redhat.com/errata/RHSA-2018:2663", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-19T20:39:52", "description": "Red Hat JBoss Enterprise Application Platform 5.2 is a platform for Java\napplications based on jbossas.\n\nThis asynchronous patch is a security update for RichFaces and Apache CXF packages in Red Hat JBoss Enterprise Application Platform 5.2.\n\nSecurity Fix(es):\n\n* Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource. (CVE-2018-12533)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-10T14:42:21", "type": "redhat", "title": "(RHSA-2018:2664) Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12533"], "modified": "2018-09-10T14:44:06", "id": "RHSA-2018:2664", "href": "https://access.redhat.com/errata/RHSA-2018:2664", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-19T20:36:24", "description": "Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services.\n\nThis JBoss Operations Network 3.3.11 release serves as a replacement for\nJBoss Operations Network 3.3.10, and includes several bug fixes. Refer to\nthe Customer Portal page linked in the References section for information\non the most significant of these changes.\n\nSecurity Fix(es):\n\n* RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource (CVE-2018-12533)\n\n* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)\n\n* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank 0c0c0f from 360\u89c2\u661f\u5b9e\u9a8c\u5ba4 for reporting CVE-2017-17485 and Chris McCown for reporting CVE-2018-8088.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-10-16T17:02:47", "type": "redhat", "title": "(RHSA-2018:2930) Important: Red Hat JBoss Operations Network 3.3.11 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15095", "CVE-2017-17485", "CVE-2018-12533", "CVE-2018-1336", "CVE-2018-8088"], "modified": "2018-10-16T17:04:29", "id": "RHSA-2018:2930", "href": "https://access.redhat.com/errata/RHSA-2018:2930", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:38:41", "description": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T12:29:00", "type": "cve", "title": "CVE-2018-12533", "cwe": ["CWE-917"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12533"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:redhat:richfaces:3.3.4"], "id": "CVE-2018-12533", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12533", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:redhat:richfaces:3.3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:09:28", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-12533. Reason: This candidate is a reservation duplicate of CVE-2018-12533. Notes: All CVE users should reference CVE-2018-12533 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2018-06-25T03:29:00", "type": "cve", "title": "CVE-2018-10849", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2018-10849", "CVE-2018-12533"], "modified": "2018-06-25T03:29:00", "cpe": [], "id": "CVE-2018-10849", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10849", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "github": [{"lastseen": "2023-01-06T05:10:17", "description": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:19:02", "type": "github", "title": "Arbitrary code execution in Richfaces", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12533"], "modified": "2023-01-06T05:04:16", "id": "GHSA-4J38-WJHF-884R", "href": "https://github.com/advisories/GHSA-4j38-wjhf-884r", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
Arbitrary code execution in Richfaces
