oss-sec mailing list archives
Re: CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 06 Dec 2011 21:25:07 -0700
On 11/28/2011 10:21 PM, Kurt Seifried wrote:
On 11/28/2011 10:16 PM, David Jorm wrote:It has been found that when includeViewParameters is set to true, JSF 2 as implemented by Mojarra and MyFaces will re-evaluate parameter/model values as EL expressions. Original bug: http://java.net/jira/browse/JAVASERVERFACES-2247 MyFaces bug: https://issues.apache.org/jira/browse/MYFACES-3405 Write-up/reproducer: http://www.jakobk.com/2011/11/jsf-value-expression-injection-vulnerability/ ThanksPlease use CVE-2011-4358 for the Mojarra instance of this vulnerable. Please use CVE-2011-4359 for the MyFaces instance of this vulnerable.
And I have been informed that CVE-2011-4343 was previously assigned for the Apache MyFaces issue, so CVE-2011-4359 is a duplicate and should be rejected. -- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces David Jorm (Nov 28)
- Re: CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces Kurt Seifried (Nov 28)
- Re: CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces Kurt Seifried (Dec 06)
- Re: CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces Kurt Seifried (Nov 28)