CVE-2017-1000486: Inadequate Encryption Strength
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99886%
CWE
Published
6/3/2021
Updated
1/22/2025
KEV Status
Yes
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.primefaces:primefaces | maven | >= 5.0, < 6.0 | 6.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability chain involves three key components:
- StreamedContentHandler processes untrusted 'pfdrid' parameter, decrypts it using StringEncrypter, and evaluates the content as EL
- StringEncrypter uses cryptographically weak algorithms (DES + static salt) with default password
- ConfigContainer enforces the weak default password when not overridden Runtime detection would observe the StringEncrypter.decrypt() processing attacker-controlled ciphertexts, followed by EL evaluation in StreamedContentHandler. The ConfigContainer initialization shows the weak default being set when no configuration exists.