CVE-2013-2165
Severity CVSS v4.0:
Pending analysis
Type:
CWE-264
Permissions, Privileges, and Access Control
Publication date:
23/07/2013
Last modified:
11/04/2025
Description
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
Impact
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:cp10:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.3.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://jvn.jp/en/jp/JVN38787103/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072
- http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
- http://rhn.redhat.com/errata/RHSA-2013-1041.html
- http://rhn.redhat.com/errata/RHSA-2013-1042.html
- http://rhn.redhat.com/errata/RHSA-2013-1043.html
- http://rhn.redhat.com/errata/RHSA-2013-1044.html
- http://rhn.redhat.com/errata/RHSA-2013-1045.html
- http://seclists.org/fulldisclosure/2020/Mar/21
- https://access.redhat.com/security/cve/CVE-2013-2165
- https://bugzilla.redhat.com/show_bug.cgi?id=973570
- http://jvn.jp/en/jp/JVN38787103/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072
- http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
- http://rhn.redhat.com/errata/RHSA-2013-1041.html
- http://rhn.redhat.com/errata/RHSA-2013-1042.html
- http://rhn.redhat.com/errata/RHSA-2013-1043.html
- http://rhn.redhat.com/errata/RHSA-2013-1044.html
- http://rhn.redhat.com/errata/RHSA-2013-1045.html
- http://seclists.org/fulldisclosure/2020/Mar/21
- https://access.redhat.com/security/cve/CVE-2013-2165
- https://bugzilla.redhat.com/show_bug.cgi?id=973570