CVE-2018-12533
published 2018-06-18CVE-2018-12533: JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
21.38%
97.3th percentile
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | richfaces | 3.1.0 – 3.3.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests containing '/DATA/' in the URL path targeting RichFaces endpoints, which indicates attempted EL injection via Paint2DResource$ImageData deserialization. ↗
- →Focus detection on the class org.richfaces.renderkit.html.Paint2DResource as the injection point for arbitrary EL expression execution. ↗
- →No authentication is required to exploit this vulnerability; treat any unauthenticated request with '/DATA/' in the path to RichFaces resources as high-priority alert. ↗
- ·Affected versions are RichFaces 3.1.0 through 3.3.4 only; versions outside this range (including RichFaces 4.x) are not covered by this CVE. ↗
- ·Red Hat JBoss Data Virtualization 6 and Red Hat JBoss Enterprise Application Platform 6 are listed as 'Not affected'; do not apply detections expecting vulnerable behavior on those platforms. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary code execution in Richfaces
osv·2022-05-13
CVE-2018-12533 [CRITICAL] Arbitrary code execution in Richfaces
Arbitrary code execution in Richfaces
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
GHSA
Arbitrary code execution in Richfaces
ghsa·2022-05-13
CVE-2018-12533 [CRITICAL] CWE-917 Arbitrary code execution in Richfaces
Arbitrary code execution in Richfaces
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
Red Hat
RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource
vendor_redhat·2018-05-30·CVSS 9.8
CVE-2018-12533 [CRITICAL] CWE-94 RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource
RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.
Package: RichFaces (JBoss Developer Studio 11) - Will not fix
Package: RichFaces (Red Hat JBoss BRMS 5) - Will not fix
Package: RichFaces (Red Hat JBoss Data Virtualization 6) - Not affected
Package: RichFaces (Red Hat JBoss Enterprise Application Platform 6) - Not affected
Package: RichFaces (Red Hat JBoss SOA Platform 5) - Will not fix
No detection rules found.
No public exploits indexed.
http://seclists.org/fulldisclosure/2020/Mar/21http://www.securityfocus.com/bid/104502http://www.securitytracker.com/id/1041617https://access.redhat.com/errata/RHSA-2018:2663https://access.redhat.com/errata/RHSA-2018:2664https://access.redhat.com/errata/RHSA-2018:2930https://codewhitesec.blogspot.com/2018/05/poor-richfaces.htmlhttp://seclists.org/fulldisclosure/2020/Mar/21http://www.securityfocus.com/bid/104502http://www.securitytracker.com/id/1041617https://access.redhat.com/errata/RHSA-2018:2663https://access.redhat.com/errata/RHSA-2018:2664https://access.redhat.com/errata/RHSA-2018:2930https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html
2018-06-18
Published