The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRed Hat Enterprise Linux
OSRedhat5.06.0Red Hat Richfaces
APPRedhat3.1.0 – 3.3.4
CISA KEV — detailsi
- Vendori
- Red Hat ↗
- Producti
- JBoss RichFaces Framework
- Added to KEVi
- September 28, 2023
- Remediation deadline (US Federal)i
- October 19, 2023(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Related vulnerabilities
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the...
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variab...
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...