CVE-2018-14667 – Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
https://notcve.org/view.php?id=CVE-2018-14667
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData. RichFaces Framework en versiones 3.X hasta la 3.3.4 es vulnerable a una inyección Expression Language (EL) mediante el recurso UserResource. Un atacante no autenticado remoto podría explotar esto para ejecutar código arbitrario mediante una cadena de objetos Java serializados mediante org.ajax4jsf.resource.UserResource$UriData. Richfaces version 3.x suffers from a remote code execution vulnerability. • https://github.com/syriusbughunt/CVE-2018-14667 https://github.com/Venscor/CVE-2018-14667-poc https://github.com/zeroto01/CVE-2018-14667 https://github.com/r00t4dm/CVE-2018-14667 http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html http://seclists.org/fulldisclosure/2020/Mar/21 http://www.securitytracker.com/id/1042037 https://access.redhat.com/errata/RHSA-2018:3517 https://access.redhat.com/errata/RHSA-2018:3518 https://access.redhat.com/errata • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2018-12532
https://notcve.org/view.php?id=CVE-2018-12532
JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309. JBoss RichFaces, de la versión 4.5.3 hasta la 4.5.17, permite que atacantes remotos no autenticados inyecten un mapper de variable de lenguaje de expresión (EL) arbitrario y ejecute código Java arbitrario mediante una petición de recursos a MediaOutputResource. Esto también se conoce como RF-14309. • http://seclists.org/fulldisclosure/2020/Mar/21 http://www.securityfocus.com/bid/104503 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVE-2018-12533 – RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource
https://notcve.org/view.php?id=CVE-2018-12533
JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310. JBoss RichFaces, de la versión 3.1.0 hasta la 3.3.4, permite que atacantes remotos no autenticados inyecten expresiones de lenguaje de expresión (EL) y ejecuten código Java arbitrario mediante una subcadena /DATA/ en una ruta con un objeto org.richfaces.renderkit.html.Paint2DResource$ImageData. Esto también se conoce como RF-14310. • https://github.com/llamaonsecurity/CVE-2018-12533 https://github.com/Pastea/CVE-2018-12533 http://seclists.org/fulldisclosure/2020/Mar/21 http://www.securityfocus.com/bid/104502 http://www.securitytracker.com/id/1041617 https://access.redhat.com/errata/RHSA-2018:2663 https://access.redhat.com/errata/RHSA-2018:2664 https://access.redhat.com/errata/RHSA-2018:2930 https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html https://access.redhat.com/security/cve/CVE-2018-12533& • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVE-2015-0279 – RichFaces: Remote Command Execution via insufficient EL parameter sanitization
https://notcve.org/view.php?id=CVE-2015-0279
JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter. JBoss RichFaces anterior a 4.5.4 permite a atacantes remotos inyectar expresiones del lenguaje de expresiones (EL) y ejecutar código Java arbitrario a través del parámetro do. It was found that the 'do' parameter permitted expression language (EL) injection, which could allow a remote attacker to execute Java methods on an affected server. • http://jvn.jp/en/jp/JVN56297719/index.html http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html http://rhn.redhat.com/errata/RHSA-2015-0719.html http://seclists.org/fulldisclosure/2019/Jul/21 http://seclists.org/fulldisclosure/2020/Mar/21 https://bugzilla.redhat.com/show_bug.cgi?id=1192140 https://a • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVE-2014-0086 – RichFaces: remote denial of service via memory exhaustion
https://notcve.org/view.php?id=CVE-2014-0086
The doFilter function in webapp/PushHandlerFilter.java in JBoss RichFaces 4.3.4, 4.3.5, and 5.x allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a large number of malformed atmosphere push requests. La función doFilter en webapp/PushHandlerFilter.java en JBoss RichFaces 4.3.4, 4.3.5 y 5.x permite a atacantes remotos causar una denegación de servicio (consumo de memoria y error de falta de memoria) a través de un número grande de solicitudes atmosphere push malformadas. It was found that certain malformed requests caused RichFaces to leak memory. A remote, unauthenticated attacker could use this flaw to send a large number of malformed requests to a RichFaces application that uses the Atmosphere framework, leading to a denial of service (excessive memory consumption) on the application server. • http://rhn.redhat.com/errata/RHSA-2014-0335.html http://secunia.com/advisories/57053 https://bugzilla.redhat.com/show_bug.cgi?id=1067268 https://github.com/pslegr/core-1/commit/8131f15003f5bec73d475d2b724472e4b87d0757 https://issues.jboss.org/browse/RF-13250 https://access.redhat.com/security/cve/CVE-2014-0086 • CWE-20: Improper Input Validation •