CVE-2018-12532
published 2018-06-18CVE-2018-12532: JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
7.05%
93.4th percentile
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | richfaces | 4.5.3 – 4.5.17 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit vector targets MediaOutputResource's resource request endpoint to inject an arbitrary EL variable mapper for RCE ↗
- →This vulnerability bypasses the previously applied mitigation for CVE-2015-0279 via EL variable mapper injection; detection logic should account for both CVEs in RichFaces 4.5.3–4.5.17 ↗
- →Technical write-up with exploitation details available at the Code White Sec blog — review for payload patterns and request signatures ↗
- ·Affected versions are RichFaces 4.5.3 through 4.5.17 only; earlier and later versions are not confirmed vulnerable ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
RichFaces: Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution
vendor_redhat·2018-05-30·CVSS 6.8
CVE-2018-12532 [MEDIUM] CWE-94 RichFaces: Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution
RichFaces: Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
Statement: This issue does not affect the following Red Hat products, as they do not include the vulnerable version of the RichFaces component:
Red Hat JBoss EAP 5.2
Red Hat JBoss Data Virtualization 6.4
Red Hat JBoss BRMS 5.3
Red Hat JBoss Operations Network 3.3
Package: RichFaces (JBoss Developer Studio 11) - Not affected
Package: RichFaces (Red Hat JBoss BRMS 5) - Not affected
Package: RichFaces (Red Hat JBoss Data Virtuali
GHSA
RichFaces vulnerable to Expression Language Injection
ghsa·2022-05-13
CVE-2018-12532 [CRITICAL] CWE-917 RichFaces vulnerable to Expression Language Injection
RichFaces vulnerable to Expression Language Injection
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
OSV
RichFaces vulnerable to Expression Language Injection
osv·2022-05-13
CVE-2018-12532 [CRITICAL] RichFaces vulnerable to Expression Language Injection
RichFaces vulnerable to Expression Language Injection
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.
No detection rules found.
No public exploits indexed.
2018-06-18
Published