Arbitrary Code Execution Affecting org.primefaces:primefaces package, versions [5.0, 6.0)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
EPSS
97.01% (100th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGPRIMEFACES-32045
- published 23 Jan 2018
- disclosed 15 Feb 2016
- credit Giorgio Fedon
Introduced: 15 Feb 2016
CVE-2017-1000486 Open this link in a new tabHow to fix?
Upgrade org.primefaces:primefaces to version 6.0 or higher.
Overview
org.primefaces:primefaces is a UI library for the Java EE Ecosystem.
Affected versions of this package are vulnerable to Arbitrary Code Execution due to a weak encryption flaw. An unauthenticated user may be able to inject arbitrary Expression Language code to the PrimeFaces custom EL parser.
References
- https://cryptosense.com/weak-encryption-flaw-in-primefaces/
- https://www.exploit-db.com/exploits/43733
- https://www.exploit-db.com/exploits/43733/
- http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
- https://github.com/primefaces/primefaces/commit/26e44eb7962cbdb6aa2f47eca0f230f3274358f0
- https://github.com/primefaces/primefaces/issues/1152