CVE-2017-1000486

Description

Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

How to fix CVE-2017-1000486

To remediate CVE-2017-1000486, upgrade the affected package to a fixed version below.

• Maven/org.primefaces:primefaces—upgrade to 6.0 or later

Is CVE-2017-1000486 being exploited?

Yes — CVE-2017-1000486 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

• >= 5.0, < 6.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-1000486
• WEBblog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
• WEBcryptosense.com/weak-encryption-flaw-in-primefaces
• WEBgithub.com/primefaces/primefaces/issues/1152