GHSA-3hx6-fqpj-xfjr

Suggest an improvement
Source
https://github.com/advisories/GHSA-3hx6-fqpj-xfjr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3hx6-fqpj-xfjr/GHSA-3hx6-fqpj-xfjr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3hx6-fqpj-xfjr
Aliases
Published
2022-05-13T01:19:02Z
Modified
2023-11-08T03:59:49.607470Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
RichFaces vulnerable to Expression Language Injection
Details

JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309.

Database specific 
{
    "github_reviewed_at": "2022-11-08T12:55:35Z",
    "nvd_published_at": "2018-06-18T12:29:00Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-917"
    ],
    "github_reviewed": true
}
References

Affected packages

Maven / org.richfaces:richfaces-core

Package

Name
org.richfaces:richfaces-core
View open source insights on deps.dev
Purl
pkg:maven/org.richfaces/richfaces-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.5.3.Final
Last affected
4.5.17.Final

Affected versions

4.*
4.5.3.Final
4.5.4.Final
4.5.5.Final
4.5.6.Final
4.5.7.Final
4.5.8.Final
4.5.9.Final
4.5.10.Final
4.5.11.Final
4.5.12.Final
4.5.13.Final
4.5.14.Final
4.5.15.Final
4.5.16.Final
4.5.17.Final

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3hx6-fqpj-xfjr/GHSA-3hx6-fqpj-xfjr.json"