CVE-2018-12533

RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.

JBoss RichFaces, de la versión 3.1.0 hasta la 3.3.4, permite que atacantes remotos no autenticados inyecten expresiones de lenguaje de expresión (EL) y ejecuten código Java arbitrario mediante una subcadena /DATA/ en una ruta con un objeto org.richfaces.renderkit.html.Paint2DResource$ImageData. Esto también se conoce como RF-14310.

Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.11 release serves as a replacement for JBoss Operations Network 3.3.10, and includes several bug fixes. Issues addressed include code execution, denial of service, and deserialization vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-06-18 CVE Reserved
2018-06-18 CVE Published
2021-02-03 First Exploit
2024-08-05 CVE Updated
2025-07-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CAPEC

References (12)

URL	Tag	Source
http://seclists.org/fulldisclosure/2020/Mar/21	Mailing List
http://www.securityfocus.com/bid/104502	Third Party Advisory
http://www.securitytracker.com/id/1041617	Third Party Advisory
https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html	Third Party Advisory

URL	Date	SRC
https://github.com/llamaonsecurity/CVE-2018-12533	2021-02-03
https://github.com/Pastea/CVE-2018-12533	2021-11-08
https://github.com/mhagnumdw/richfaces-vulnerability-cve-2018-12533-rf-14310	2025-04-22

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:2663	2020-08-24
https://access.redhat.com/errata/RHSA-2018:2664	2020-08-24
https://access.redhat.com/errata/RHSA-2018:2930	2020-08-24
https://access.redhat.com/security/cve/CVE-2018-12533	2018-10-16
https://bugzilla.redhat.com/show_bug.cgi?id=1584490	2018-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Richfaces Search vendor "Redhat" for product "Richfaces"				>= 3.1.0 <= 3.3.4 Search vendor "Redhat" for product "Richfaces" and version " >= 3.1.0 <= 3.3.4"		-		Affected