CVE-2018-12532: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

May 13, 2022 (updated November 8, 2022)

JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource’s resource request, aka RF-14309.

References

seclists.org/fulldisclosure/2020/Mar/21
codewhitesec.blogspot.com/2018/05/poor-richfaces.html
github.com/advisories/GHSA-3hx6-fqpj-xfjr
nvd.nist.gov/vuln/detail/CVE-2018-12532

Detect and mitigate CVE-2018-12532 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →