Red Hat JBoss RichFaces Expression Language Injection Arbitrary Code Execution Vulnerability



A vulnerability in Red Hat JBoss RichFaces could allow an unauthenticated, remote attacker to inject arbitrary code on a targeted system.

The vulnerability exists because the affected software allows injection of arbitrary Expression Language (EL) expressions. An attacker could exploit this vulnerability by using the org.ajax4jsf.resource.UserResource$UriData object to pass malicious resource data to the targeted system. A successful exploit could allow the attacker to execute arbitrary Java code on the system.

Red Hat has confirmed the vulnerability and released software updates.

Security Impact Rating: Critical

CVE: CVE-2018-14667

Source:: Cisco Multivendor Vulnerability Alerts