Vulnerability Details : CVE-2017-1000486
Public exploit exists!
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
Vulnerability category: Execute code
Products affected by CVE-2017-1000486
- cpe:2.3:a:primetek:primefaces:*:*:*:*:*:*:*:*
- cpe:2.3:a:primetek:primefaces:*:*:*:*:*:*:*:*
- cpe:2.3:a:primetek:primefaces:*:*:*:*:*:*:*:*
CVE-2017-1000486 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Primetek Primefaces Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Primetek Primefaces is vulnerable to a weak encryption flaw resulting in remote code execution
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
Added on
2022-01-10
Action due date
2022-07-10
Exploit prediction scoring system (EPSS) score for CVE-2017-1000486
94.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2017-1000486
-
Primefaces Remote Code Execution Exploit
Disclosure Date: 2016-02-15First seen: 2024-12-07exploit/multi/http/primefaces_weak_encryption_rceThis module exploits a Java Expression Language remote code execution flaw in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and sa
CVSS scores for CVE-2017-1000486
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-07 |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | 2025-01-22 |
CWE ids for CVE-2017-1000486
-
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2017-1000486
-
http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
Minded Security Blog: RCE in Oracle NetBeans Opensource Plugins: PrimeFaces 5.x Expression Language InjectionExploit;Third Party Advisory
-
https://www.exploit-db.com/exploits/43733/
Primefaces 5.x - Remote Code Execution (Metasploit)Third Party Advisory;VDB Entry
-
https://github.com/primefaces/primefaces/issues/1152
Potential EL Injection · Issue #1152 · primefaces/primefaces · GitHubIssue Tracking;Third Party Advisory
-
https://cryptosense.com/weak-encryption-flaw-in-primefaces/
Weak Encryption Flaw in PrimeFaces | CryptosenseThird Party Advisory;Broken Link
Jump to