CVE-2013-2165 — Remote code execution due to insecure deserialization

Description

A flaw was found in the way JBoss RichFaces handled deserialization. A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.

How to fix CVE-2013-2165

To remediate CVE-2013-2165, upgrade the affected package to a fixed version below.

Maven/org.richfaces:richfaces—upgrade to 3.3.3 or later

Is CVE-2013-2165 being exploited?

Moderate — EPSS is 24.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 3.1.0, < 3.3.3

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2165
WEBjvndb.jvn.jp/jvndb/JVNDB-2013-000072
WEBjvn.jp/en/jp/JVN38787103/index.html
WEBpacketstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
WEB