CVE-2011-4343

moderate-risk

Published 2017-08-08

Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters.

Do I need to act?

0.86% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (15)

Myfaces

Affected Vendors

Apache

References (6)

Third Party Advisory http://marc.info/?l=full-disclosure&m=132313252814362

http://www.securitytracker.com/id/1039695

Patch https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch

Third Party Advisory http://marc.info/?l=full-disclosure&m=132313252814362

http://www.securitytracker.com/id/1039695

Patch https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 18/34 · Moderate