CVE-2018-14667

Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

RichFaces Framework en versiones 3.X hasta la 3.3.4 es vulnerable a una inyección Expression Language (EL) mediante el recurso UserResource. Un atacante no autenticado remoto podría explotar esto para ejecutar código arbitrario mediante una cadena de objetos Java serializados mediante org.ajax4jsf.resource.UserResource$UriData.

Richfaces version 3.x suffers from a remote code execution vulnerability.

Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-07-27 CVE Reserved
2018-11-06 CVE Published
2018-11-23 First Exploit
2023-09-28 Exploited in Wild
2023-10-19 KEV Due Date
2024-08-05 CVE Updated
2024-10-16 EPSS Updated

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (14)

URL	Tag	Source
http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html	Third Party Advisory
http://seclists.org/fulldisclosure/2020/Mar/21	Mailing List
http://www.securitytracker.com/id/1042037	Third Party Advisory

URL	Date	SRC
https://github.com/syriusbughunt/CVE-2018-14667	2018-11-30
https://github.com/Venscor/CVE-2018-14667-poc	2019-09-24
https://github.com/zeroto01/CVE-2018-14667	2018-11-23
https://github.com/r00t4dm/CVE-2018-14667	2018-11-29

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:3517	2020-08-28
https://access.redhat.com/errata/RHSA-2018:3518	2020-08-28
https://access.redhat.com/errata/RHSA-2018:3519	2020-08-28
https://access.redhat.com/errata/RHSA-2018:3581	2020-08-28
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667	2020-08-28
https://access.redhat.com/security/cve/CVE-2018-14667	2018-11-13
https://bugzilla.redhat.com/show_bug.cgi?id=1639139	2018-11-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Richfaces Search vendor "Redhat" for product "Richfaces"				>= 3.1.0 <= 3.3.4 Search vendor "Redhat" for product "Richfaces" and version " >= 3.1.0 <= 3.3.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				5.0 Search vendor "Redhat" for product "Enterprise Linux" and version "5.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"		-		Affected