CVE-2011-4343

CWE-200Information ExposureCWE-9177 documents6 sources
Severity
7.5HIGH
EPSS
0.9%
top 24.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Myfaces
Timeline
PublishedAug 8
Latest updateMay 17

Description

Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDapache/myfaces15 versions+14

Patches

Patch: issues.apache.orgPatch: issues.apache.org

🔴Vulnerability Details

3
GHSA
Apache MyFaces Vulnerable to EL Injection2022-05-17
OSV
Apache MyFaces Vulnerable to EL Injection2022-05-17
CVEList
CVE-2011-4343: Information disclosure vulnerability in Apache MyFaces Core 22017-08-08

📋Vendor Advisories

1
Red Hat
2: EL injection, includeViewParameters re-evaluates param/model values as EL expressions2011-11-22

💬Community

2
Bugzilla
CVE-2011-4343 MyFaces 2: EL injection, includeViewParameters re-evaluates param/model values as EL expressions2011-12-06
Bugzilla
MyFaces 2 EL injection: includeViewParameters re-evaluates param/model values as EL expressions2011-11-29
CVE-2011-4343 (HIGH CVSS 7.5) | Information disclosure vulnerabilit | cvebase.io