Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Arbitrary EL Evaluation in RichFaces - Vulnerability Database

Arbitrary EL Evaluation in RichFaces

Description

RichFaces is a widely-used component library for JavaServer Faces (JSF) that reached end-of-life in June 2016. Multiple versions contain critical Expression Language (EL) injection vulnerabilities that allow attackers to execute arbitrary code remotely.

RF-14310: RichFaces 3.x versions up to and including 3.3.4 are vulnerable to arbitrary EL expression injection through the org.richfaces.renderkit.html.Paint2DResource component, enabling remote code execution without authentication.

RF-14309: RichFaces 4.5.3 through 4.5.17 contain an EL variable mapper injection vulnerability that bypasses the security fix for CVE-2015-0279, allowing attackers to achieve remote code execution despite previous mitigation attempts.

Remediation

Since RichFaces has reached end-of-life and will not receive security updates, organizations should prioritize migrating to actively maintained JSF component libraries. Until migration is complete, implement the following immediate mitigations:

Immediate Mitigation (Temporary):

1. Block CVE-2013-2165 and RF-14310: Configure your web application firewall, reverse proxy, or servlet filter to reject all requests containing /DATA/ in the URL path.

2. Block CVE-2015-0279 and RF-14309: Reject all requests containing org.richfaces.resource.MediaOutputResource (in plain text or URL-encoded form) in the URL path.

Example Web Application Filter (Java):

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;

public class RichFacesSecurityFilter implements Filter {
    public void doFilter(ServletRequest request, ServletResponse response, 
                        FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        String uri = httpRequest.getRequestURI();
        String decodedUri = java.net.URLDecoder.decode(uri, "UTF-8");
        
        if (uri.contains("/DATA/") || decodedUri.contains("/DATA/") ||
            uri.contains("org.richfaces.resource.MediaOutputResource") ||
            decodedUri.contains("org.richfaces.resource.MediaOutputResource")) {
            ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN);
            return;
        }
        chain.doFilter(request, response);
    }
}

Long-term Solution:

Migrate away from RichFaces to actively maintained alternatives such as PrimeFaces, BootsFaces, or other modern JSF component libraries. Plan and execute this migration as a high-priority security initiative, as temporary mitigations may not protect against all attack vectors or future exploit variations.

References

RichFaces End-Of-Life Questions & Answers
Poor RichFaces

Related Vulnerabilities

MoinMoin CVE-2012-6081 multiple arbitrary code execution vulnerabilities High
Common tags: Code Execution Known Vulnerabilities
Rejetto HTTP File Server SSTI RCE (CVE-2024-23692) Critical
Common tags: Code Execution Known Vulnerabilities
Horde/IMP Plesk webmail exploit High
Common tags: Code Execution Known Vulnerabilities
Gallery 3.0.4 remote code execution High
Common tags: Code Execution Known Vulnerabilities
Next.js/React Server Components RCE (CVE-2025-55182 & CVE-2025-66478) Critical
Common tags: Code Execution Known Vulnerabilities

Severity

High

Classification

CVE-2013-2165
CVE-2015-0279
CWE-917
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution
Known Vulnerabilities