Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWoyMzktNGdxZy01ajU0
Inadequate Encryption Strength
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
Permalink: https://github.com/advisories/GHSA-j239-4gqg-5j54JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWoyMzktNGdxZy01ajU0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-j239-4gqg-5j54, CVE-2017-1000486
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
- https://github.com/primefaces/primefaces/issues/1152
- https://cryptosense.com/weak-encryption-flaw-in-primefaces/
- https://www.exploit-db.com/exploits/43733/
- http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
- https://github.com/advisories/GHSA-j239-4gqg-5j54
Blast Radius: 39.9
Affected Packages
maven:org.primefaces:primefaces
Dependent packages: 224Dependent repositories: 11,722
Downloads:
Affected Version Ranges: >= 5.0, < 6.0
Fixed in: 6.0
All affected versions:
All unaffected versions: 10.0.0, 11.0.0, 12.0.0, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 13.0.5, 13.0.6, 13.0.7, 13.0.8