5.8.0

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

nuxeo

CWE-502

critical

NVD

Published: 2020-02-06

Updated: 2020-02-13

Summary

RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165.

Vulnerable Configurations

Part	Description	Count
Application	Nuxeo Nuxeo Nuxeo 5.8.0 Nuxeo Nuxeo 5.6.0	28

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

http://doc.nuxeo.com/display/public/ADMINDOC58/Nuxeo+Security+Hotfixes
https://github.com/nuxeo/richfaces/commit/6cbad2a6dcb70d3e33a6ce5879b1a3ad79eb1aec
https://bugzilla.redhat.com/show_bug.cgi?id=1027052