漏洞类别:CGI
漏洞等级: 
漏洞信息
The RichFaces project is an advanced UI component framework for easily integrating Ajax capabilities into business applications using JSF.
The ResourceBuilderImpl.java source file implemented in vulnerable RichFaces implementation in Red Hat JBoss Web Framework Kit fails to restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
Affected Versions:
RichFaces 3, 4 and 5
QID Detection Logic:
This unauthenticated QID tries to detect the version of RichFaces based on information presented in the admin-console/login.seam source page.
漏洞危害
Successful exploitation allows unauthenticated, remote attackers to execute arbitrary code within the context of the application.
解决方案
Customers are advised to upgrade to RichFaces 3.3.4.Final or RichFaces 4.3.3.Final or later versions to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论