CVE-2015-0279

CWE-94 — Code Injection CWE-958 documents5 sources

Severity

6.8MEDIUM

EPSS

2.5%

top 14.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Richfaces

Timeline

PublishedMar 26

Latest updateMay 14

Description

JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDredhat/richfaces4.0.0 — 4.5.4

🔴Vulnerability Details

GHSA

GHSA-8cc3-p77g-5pcc: JBoss RichFaces before 4↗2022-05-14

▶

CVEList

CVE-2015-0279: JBoss RichFaces before 4↗2015-03-26

▶

📋Vendor Advisories

Red Hat

RichFaces: Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution↗2018-05-30

▶

Red Hat

RichFaces: Remote Command Execution via insufficient EL parameter sanitization↗2015-03-24

▶

💬Community

Bugzilla

CVE-2018-12532 RichFaces: Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution↗2018-05-31

▶

Bugzilla

CVE-2015-0279 wildfly: RichFaces: Remote Command Execution via insufficient EL parameter sanitization [fedora-all]↗2015-03-24

▶

Bugzilla

CVE-2015-0279 RichFaces: Remote Command Execution via insufficient EL parameter sanitization↗2015-02-12

▶