GHSA-j7mw-7crr-658v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j7mw-7crr-658v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j7mw-7crr-658v/GHSA-j7mw-7crr-658v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j7mw-7crr-658v
- Aliases
-
- CVE-2018-14667
- Published
- 2022-05-13T01:17:53Z
- Modified
- 2025-10-22T17:36:28Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H CVSS Calculator
- Summary
- Richfaces vulnerable to arbitrary code execution
- Details
-
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via
org.ajax4jsf.resource.UserResource$UriData. - Database specific
{ "github_reviewed_at": "2022-11-08T13:08:20Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "nvd_published_at": "2018-11-06T22:29:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-14667
- https://github.com/richfaces/richfaces/commit/1372eb716c1a215a5af124198f21bde33fafad06
- https://access.redhat.com/errata/RHSA-2018:3517
- https://access.redhat.com/errata/RHSA-2018:3518
- https://access.redhat.com/errata/RHSA-2018:3519
- https://access.redhat.com/errata/RHSA-2018:3581
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14667
- http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
- http://seclists.org/fulldisclosure/2020/Mar/21
Affected packages
Maven / org.richfaces:richfaces-core
Package
- Name
- org.richfaces:richfaces-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.richfaces/richfaces-core