7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2011-4343

GHSA ID

GHSA-jq6g-p65r-44xr

EPSS Score

0.60438%

CWE

CWE-200

Published

5/17/2022

Updated

1/17/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2011-4343

CVE-2011-4343: Apache MyFaces Vulnerable to EL Injection

Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2011-4343

GHSA ID

GHSA-jq6g-p65r-44xr

EPSS Score

0.60438%

CWE

CWE-200

Published

5/17/2022

Updated

1/17/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.myfaces.core:myfaces-core-module	maven	>= 2.0.1, <= 2.0.10	2.0.11
org.apache.myfaces.core:myfaces-core-module	maven	>= 2.1.0, <= 2.1.4	2.1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper EL expression evaluation in navigation parameter handling. The patch introduces _NavigationUtils.getEvaluatedNavigationParameters to sanitize parameters, replacing direct usage of getParameters() in critical URL generation paths. The removed _evaluateValueExpressions in ServletExternalContextImpl and unpatched parameter handling in NavigationCase methods would allow crafted EL expressions to be injected into URLs. The high confidence comes from explicit patch changes showing parameter evaluation was added where it was previously missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In*orm*tion *is*losur* vuln*r**ility in *p**** My****s *or* *.*.* t*rou** *.*.** *n* *.*.* t*rou** *.*.* *llows r*mot* *tt**k*rs to inj**t *L *xpr*ssions vi* *r**t** p*r*m*t*rs.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *L *xpr*ssion *v*lu*tion in n*vi**tion p*r*m*t*r **n*lin*. T** p*t** intro*u**s _N*vi**tionUtils.**t*v*lu*t**N*vi**tionP*r*m*t*rs to s*nitiz* p*r*m*t*rs, r*pl**in* *ir**t us*** o* **tP*r*m*t*rs() in *riti**l URL

7.5

Basic Information

Concerned about an active attack path?

CVE-2011-4343: Apache MyFaces Vulnerable to EL Injection

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI