CVE-2018-12533 - OpenCVE

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Richfaces

Configuration 1 [-]

cpe:2.3:a:redhat:richfaces:*:*:*:*:*:*:*:*

References

Link	Resource
http://seclists.org/fulldisclosure/2020/Mar/21
http://www.securityfocus.com/bid/104502	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041617	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:2663	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2664	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2930	Third Party Advisory
https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-06-18T12:00:00

Updated: 2020-03-14T00:06:04

Reserved: 2018-06-18T00:00:00

Link: CVE-2018-12533

JSON object: View

NVD Information

Status : Modified

Published: 2018-06-18T12:29:00.280

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-12533

JSON object: View

Redhat Information

No data.

CWE

CWE-917

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-06-18T00:00:00", "descriptions": [{"lang": "en", "value": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-14T00:06:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2018:2664", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2664"}, {"name": "1041617", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041617"}, {"tags": ["x_refsource_MISC"], "url": "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html"}, {"name": "RHSA-2018:2663", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2663"}, {"name": "104502", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104502"}, {"name": "RHSA-2018:2930", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2930"}, {"name": "20200313 RichFaces exploitation toolkit", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-12533", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:2664", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2664"}, {"name": "1041617", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041617"}, {"name": "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html", "refsource": "MISC", "url": "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html"}, {"name": "RHSA-2018:2663", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2663"}, {"name": "104502", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104502"}, {"name": "RHSA-2018:2930", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2930"}, {"name": "20200313 RichFaces exploitation toolkit", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-12533", "datePublished": "2018-06-18T12:00:00", "dateReserved": "2018-06-18T00:00:00", "dateUpdated": "2020-03-14T00:06:04", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:richfaces:*:*:*:*:*:*:*:*", "matchCriteriaId": "807E3104-B229-4E35-BA74-821AEA1D52C8", "versionEndIncluding": "3.3.4", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310."}, {"lang": "es", "value": "JBoss RichFaces, de la versi\u00f3n 3.1.0 hasta la 3.3.4, permite que atacantes remotos no autenticados inyecten expresiones de lenguaje de expresi\u00f3n (EL) y ejecuten c\u00f3digo Java arbitrario mediante una subcadena /DATA/ en una ruta con un objeto org.richfaces.renderkit.html.Paint2DResource$ImageData. Esto tambi\u00e9n se conoce como RF-14310."}], "id": "CVE-2018-12533", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-18T12:29:00.280", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104502"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041617"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2663"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2664"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2930"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-917"}], "source": "nvd@nist.gov", "type": "Primary"}]}