CVE-2017-1000486
CVE-2017-1000486
In short
Primefaces 5.x uses weak encryption that allows attackers to bypass security controls and execute arbitrary code on the server. This is a critical vulnerability because it gives complete control of the application to an attacker.
Technical detail
Primefaces 5.x implements inadequate encryption (CWE-326) for sensitive data protection, enabling attackers to decrypt or manipulate encrypted values without authentication. This weak cryptographic implementation can be exploited to achieve remote code execution, resulting in complete system compromise.
Summary generated and translated by AI from the official description.
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 9
githubgithub.com/pimps/CVE-2017-1000486★ 94githubgithub.com/0xdsm/pwnfaces★ 19githubgithub.com/mogwailabs/CVE-2017-1000486★ 9githubgithub.com/Pastea/CVE-2017-1000486★ 4githubgithub.com/jam620/primefaces★ 0githubgithub.com/LongWayHomie/CVE-2017-1000486★ 0githubgithub.com/cved-sources/cve-2017-1000486★ 0exploitdbwww.exploit-db.com/exploits/43733unverifiedcve_referencewww.exploit-db.com/exploits/43733/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.htmlhttps://cryptosense.com/weak-encryption-flaw-in-primefaces/https://github.com/primefaces/primefaces/issues/1152https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000486https://www.exploit-db.com/exploits/43733/