Bug 760692 (CVE-2011-4343) - CVE-2011-4343 MyFaces 2: EL injection, includeViewParameters re-evaluates param/model values as EL expressions
Summary: CVE-2011-4343 MyFaces 2: EL injection, includeViewParameters re-evaluates par...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-4343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 757982 (view as bug list)
Depends On:
Blocks: 760693
TreeView+ depends on / blocked
 
Reported: 2011-12-06 19:17 UTC by Vincent Danen
Modified: 2021-02-24 13:40 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-12-07 04:37:02 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2011-12-06 19:17:29 UTC 
It was reported [1],[2] that Apache MyFaces 2 would re-evaluate param/model values as EL expressions under certain conditions. If a submit outcome included both faces-redirect=true and includeViewParams=true (or faces-include-view-params=true), it would be possible to inject EL expressions directly into input fields mapped as view parameters.

This is fixed in upstream versions 2.0.11 and 2.1.5.  A patch [3] and reproducer [4] are available.

[1] http://java.net/jira/browse/JAVASERVERFACES-2247
[2] https://issues.apache.org/jira/browse/MYFACES-3405
[3] https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch
[4] http://www.jakobk.com/2011/11/jsf-value-expression-injection-vulnerability/
Comment 1 David Jorm 2011-12-07 04:37:02 UTC 
Statement:

Not vulnerable. This issue affects the MyFaces 2 package, which is not shipped with any Red Hat products.
Comment 2 David Jorm 2011-12-07 04:37:44 UTC 
*** Bug 757982 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.