Code injection in JBoss Richfaces - CVE-2018-12533
Published: October 17, 2018 / Updated: October 18, 2018
Vulnerability identifier: #VU15407
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-12533
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
JBoss Richfaces
JBoss Richfaces
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary code on the target system.
The vulnerability exists in Red Hat JBoss RichFaces due to the affected software allows injection of arbitrary Expression Language (EL) expressions. A remote unauthenticated attacker can use the org.richfaces.renderkit.html.Paint2DResource$ImageData object (RF-14310) to pass malicious resource data and execute arbitrary Java code.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2018-12533
Install update from vendor's website.