oss-sec mailing list archives

Re: CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 28 Nov 2011 22:21:34 -0700

On 11/28/2011 10:16 PM, David Jorm wrote:

It has been found that when includeViewParameters is set to true, JSF 2 as implemented by Mojarra and MyFaces will 
re-evaluate parameter/model values as EL expressions.

Original bug:
http://java.net/jira/browse/JAVASERVERFACES-2247

MyFaces bug:
https://issues.apache.org/jira/browse/MYFACES-3405

Write-up/reproducer:
http://www.jakobk.com/2011/11/jsf-value-expression-injection-vulnerability/

Thanks

Please use CVE-2011-4358  for the Mojarra instance of this vulnerable.

Please use CVE-2011-4359  for the MyFaces instance of this vulnerable.

-- 

-Kurt Seifried / Red Hat Security Response Team

Current thread:

CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces David Jorm (Nov 28)
- Re: CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces Kurt Seifried (Nov 28)
  - Re: CVE request: includeViewParameters re-evaluates param/model values as EL expressions on Mojarra/MyFaces Kurt Seifried (Dec 06)