Redhat Richfaces vulnerabilities

6 known vulnerabilities affecting redhat/richfaces.

Total CVEs

6

CISA KEV

1

actively exploited

Public exploits

0

Exploited in wild

1

Severity breakdown

CRITICAL3HIGH1MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2018-14667CRITICALCVSS 9.8KEV≥ 3.1.0, ≤ 3.3.42018-11-06

CVE-2018-14667 [CRITICAL] CWE-94 CVE-2018-14667: The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via th The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

CVE-2018-12532CRITICALCVSS 9.8≥ 4.5.3, ≤ 4.5.172018-06-18

CVE-2018-12532 [CRITICAL] CWE-917 CVE-2018-12532: JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.

CVE-2018-12533CRITICALCVSS 9.8≥ 3.1.0, ≤ 3.3.42018-06-18

CVE-2018-12533 [CRITICAL] CWE-917 CVE-2018-12533: JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression lan JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.

CVE-2015-0279MEDIUMCVSS 6.8≥ 4.0.0, ≤ 4.5.42015-03-26

CVE-2015-0279 [MEDIUM] CWE-94 CVE-2015-0279: JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.

CVE-2014-0086MEDIUMCVSS 4.3v4.3.4v4.3.5+1 more2014-03-31

CVE-2014-0086 [MEDIUM] CWE-20 CVE-2014-0086: The doFilter function in webapp/PushHandlerFilter.java in JBoss RichFaces 4.3.4, 4.3.5, and 5.x allo The doFilter function in webapp/PushHandlerFilter.java in JBoss RichFaces 4.3.4, 4.3.5, and 5.x allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a large number of malformed atmosphere push requests.

CVE-2013-2165HIGHCVSS 7.5v3.1.0v3.1.1+22 more2013-07-23

CVE-2013-2165 [HIGH] CWE-264 CVE-2013-2165: ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framew ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1,