CVE-2018-14667
published 2018-11-06CVE-2018-14667: The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-19
Exploited in the wild
EPSS
74.17%
99.4th percentile
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | richfaces | 3.1.0 – 3.3.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation targets the UserResource endpoint via Expression Language injection using a chain of Java serialized objects through org.ajax4jsf.resource.UserResource$UriData ↗
- →Affected component is RichFaces Framework versions 3.X through 3.3.4; monitor for exploitation attempts against the UserResource resource in these versions ↗
- ·Red Hat JBoss Operations Network 3 is confirmed NOT affected by this CVE ↗
- ·JBoss Developer Studio 11 (RichFaces) is out of security support scope and will not receive a patch ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
cisa·2023-09-28·CVSS 9.8
CVE-2018-14667 [CRITICAL] CWE-94 Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
Vulnerability: Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
Affected: Red Hat JBoss RichFaces Framework
Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667; https://nvd.nist.gov/vuln/detail/CVE-2018-14667
Remediation Due Date: 2023-10-19
Red Hat
RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution
vendor_redhat·2018-11-06·CVSS 9.8
CVE-2018-14667 [CRITICAL] CWE-94 RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution
RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Package: RichFaces (JBoss Developer Studio 11) - Out of support scope
Package: RichFaces (Red Hat JBoss Operations Network 3) - Not affected
OSV
Richfaces vulnerable to arbitrary code execution
osv·2022-05-13
CVE-2018-14667 [CRITICAL] Richfaces vulnerable to arbitrary code execution
Richfaces vulnerable to arbitrary code execution
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via `org.ajax4jsf.resource.UserResource$UriData`.
GHSA
Richfaces vulnerable to arbitrary code execution
ghsa·2022-05-13
CVE-2018-14667 [CRITICAL] CWE-94 Richfaces vulnerable to arbitrary code execution
Richfaces vulnerable to arbitrary code execution
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via `org.ajax4jsf.resource.UserResource$UriData`.
VulnCheck
Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-14667 [CRITICAL] CWE-94 Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Affected: Red Hat JBoss RichFaces Framework
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/19e2dcdd6dd0; https://vulncheck.com/xdb/484aa7ad502f
Remediation Due: 2023-10-19
No detection rules found.
No public exploits indexed.
http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.htmlhttp://seclists.org/fulldisclosure/2020/Mar/21http://www.securitytracker.com/id/1042037https://access.redhat.com/errata/RHSA-2018:3517https://access.redhat.com/errata/RHSA-2018:3518https://access.redhat.com/errata/RHSA-2018:3519https://access.redhat.com/errata/RHSA-2018:3581https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.htmlhttp://seclists.org/fulldisclosure/2020/Mar/21http://www.securitytracker.com/id/1042037https://access.redhat.com/errata/RHSA-2018:3517https://access.redhat.com/errata/RHSA-2018:3518https://access.redhat.com/errata/RHSA-2018:3519https://access.redhat.com/errata/RHSA-2018:3581https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14667
2018-11-06
Published
2023-09-28
Added to CISA KEV
Exploited in the wild