CVE-2018-14667
Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
8Exploited in Wild
YesDecision
Descriptions
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
RichFaces Framework en versiones 3.X hasta la 3.3.4 es vulnerable a una inyección Expression Language (EL) mediante el recurso UserResource. Un atacante no autenticado remoto podría explotar esto para ejecutar código arbitrario mediante una cadena de objetos Java serializados mediante org.ajax4jsf.resource.UserResource$UriData.
Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This asynchronous patch is a security update for the RichFaces package in Red Hat JBoss SOA Platform 5.3.1. Issues addressed include a code execution vulnerability.
Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2018-07-27 CVE Reserved
- 2018-11-06 CVE Published
- 2018-11-20 First Exploit
- 2023-09-28 Exploited in Wild
- 2023-10-19 KEV Due Date
- 2025-02-07 CVE Updated
- 2025-04-03 EPSS Updated
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (18)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html | Third Party Advisory |
|
| http://seclists.org/fulldisclosure/2020/Mar/21 | Mailing List |
|
| http://www.securitytracker.com/id/1042037 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/150412 | 2018-11-20 | |
| https://packetstorm.news/files/id/156663 | 2020-03-09 | |
| https://github.com/syriusbughunt/CVE-2018-14667 | 2018-11-30 | |
| https://github.com/Venscor/CVE-2018-14667-poc | 2019-09-24 | |
| https://github.com/zeroto01/CVE-2018-14667 | 2018-11-23 | |
| https://github.com/r00t4dm/CVE-2018-14667 | 2018-11-29 | |
| https://github.com/nareshmail/cve-2018-14667 | 2020-04-01 | |
| https://github.com/quandqn/cve-2018-14667 | 2024-04-26 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:3517 | 2020-08-28 | |
| https://access.redhat.com/errata/RHSA-2018:3518 | 2020-08-28 | |
| https://access.redhat.com/errata/RHSA-2018:3519 | 2020-08-28 | |
| https://access.redhat.com/errata/RHSA-2018:3581 | 2020-08-28 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667 | 2020-08-28 | |
| https://access.redhat.com/security/cve/CVE-2018-14667 | 2018-11-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1639139 | 2018-11-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Richfaces Search vendor "Redhat" for product "Richfaces" | >= 3.1.0 <= 3.3.4 Search vendor "Redhat" for product "Richfaces" and version " >= 3.1.0 <= 3.3.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 5.0 Search vendor "Redhat" for product "Enterprise Linux" and version "5.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Affected
| ||||||