CVE-2015-0279 - Vulnerability Details - OpenCVE

JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.06506.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Jboss Enterprise Web Framework Richfaces

Configuration 1 [-]

cpe:2.3:a:redhat:richfaces:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss Web Framework Kit 2.7
	cpe:/a:redhat:jboss_enterprise_web_framework:2.7.0	RHSA-2015:0719	2015-03-24T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2015-0292	JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://jvn.jp/en/jp/JVN56297719/index.html
http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html
http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html
http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
http://rhn.redhat.com/errata/RHSA-2015-0719.html
http://seclists.org/fulldisclosure/2019/Jul/21
http://seclists.org/fulldisclosure/2020/Mar/21
https://bugzilla.redhat.com/show_bug.cgi?id=1192140
https://nvd.nist.gov/vuln/detail/CVE-2015-0279
https://www.cve.org/CVERecord?id=CVE-2015-0279

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2015-03-26T14:00:00

Updated: 2024-08-06T04:03:10.884Z

Reserved: 2014-11-18T00:00:00

Link: CVE-2015-0279

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-03-26T14:59:00.070

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-0279

Redhat

Severity : Important

Publid Date: 2015-03-24T00:00:00Z

Links: CVE-2015-0279 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-24T00:00:00", "descriptions": [{"lang": "en", "value": "JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-14T00:06:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192140"}, {"name": "RHSA-2015:0719", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0719.html"}, {"name": "JVN#56297719", "tags": ["third-party-advisory", "x_refsource_JVN"], "url": "http://jvn.jp/en/jp/JVN56297719/index.html"}, {"name": "JVNDB-2015-001959", "tags": ["third-party-advisory", "x_refsource_JVNDB"], "url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html"}, {"name": "20190723 Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Jul/21"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"}, {"name": "20200313 RichFaces exploitation toolkit", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-0279", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1192140", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192140"}, {"name": "RHSA-2015:0719", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0719.html"}, {"name": "JVN#56297719", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN56297719/index.html"}, {"name": "JVNDB-2015-001959", "refsource": "JVNDB", "url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html"}, {"name": "20190723 Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Jul/21"}, {"name": "http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html"}, {"name": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"}, {"name": "20200313 RichFaces exploitation toolkit", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:03:10.884Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192140"}, {"name": "RHSA-2015:0719", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0719.html"}, {"name": "JVN#56297719", "tags": ["third-party-advisory", "x_refsource_JVN", "x_transferred"], "url": "http://jvn.jp/en/jp/JVN56297719/index.html"}, {"name": "JVNDB-2015-001959", "tags": ["third-party-advisory", "x_refsource_JVNDB", "x_transferred"], "url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html"}, {"name": "20190723 Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Jul/21"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"}, {"name": "20200313 RichFaces exploitation toolkit", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-0279", "datePublished": "2015-03-26T14:00:00", "dateReserved": "2014-11-18T00:00:00", "dateUpdated": "2024-08-06T04:03:10.884Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:richfaces:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF2058B7-E4C6-4759-89F4-BBF0180CDA69", "versionEndIncluding": "4.5.4", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter."}, {"lang": "es", "value": "JBoss RichFaces anterior a 4.5.4 permite a atacantes remotos inyectar expresiones del lenguaje de expresiones (EL) y ejecutar c\u00f3digo Java arbitrario a trav\u00e9s del par\u00e1metro do."}], "id": "CVE-2015-0279", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-03-26T14:59:00.070", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://jvn.jp/en/jp/JVN56297719/index.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html"}, {"source": "secalert@redhat.com", "url": "http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html"}, {"source": "secalert@redhat.com", "url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0719.html"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2019/Jul/21"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192140"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://jvn.jp/en/jp/JVN56297719/index.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-001959.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/153734/Tufin-Secure-Change-Remote-Code-Execution.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0719.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2019/Jul/21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2020/Mar/21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192140"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Takeshi Terada (Mitsui Bussan Secure Directions, Inc.) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2015:0719", "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.7.0", "product_name": "Red Hat JBoss Web Framework Kit 2.7", "release_date": "2015-03-24T00:00:00Z"}], "bugzilla": {"description": "RichFaces: Remote Command Execution via insufficient EL parameter sanitization", "id": "1192140", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192140"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-95", "details": ["JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.", "It was found that the 'do' parameter permitted expression language (EL) injection, which could allow a remote attacker to execute Java methods on an affected server."], "name": "CVE-2015-0279", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "wildfly", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Not affected", "package_name": "richfaces", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "wildfly", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Affected", "package_name": "wildfly", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Affected", "package_name": "richfaces", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Affected", "package_name": "richfaces", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Affected", "package_name": "widlfly", "product_name": "Red Hat JBoss SOA Platform 5"}], "public_date": "2015-03-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-0279\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-0279"], "statement": "This issue did not affect any version of Red Hat JBoss Enterprise Application Platform 5 as they did not include the vulnerable version of the RichFaces component. JBoss EAP 5.x includes versions 3.3.1.x of RichFaces; this vulnerability was introduced in version 4.x of RichFaces.", "threat_severity": "Important"}