Miggo Logo

CVE-2017-1000486: Inadequate Encryption Strength

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.99886%
Published
6/3/2021
Updated
1/22/2025
KEV Status
Yes
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.primefaces:primefacesmaven>= 5.0, < 6.06.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability chain involves three key components:

  1. StreamedContentHandler processes untrusted 'pfdrid' parameter, decrypts it using StringEncrypter, and evaluates the content as EL
  2. StringEncrypter uses cryptographically weak algorithms (DES + static salt) with default password
  3. ConfigContainer enforces the weak default password when not overridden Runtime detection would observe the StringEncrypter.decrypt() processing attacker-controlled ciphertexts, followed by EL evaluation in StreamedContentHandler. The ConfigContainer initialization shows the weak default being set when no configuration exists.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prim*t*k Prim*****s *.x is vuln*r**l* to * w**k *n*ryption *l*w r*sultin* in r*mot* *o** *x**ution

Reasoning

T** vuln*r**ility ***in involv*s t*r** k*y *ompon*nts: *. Str**m***ont*nt**n*l*r pro**ss*s untrust** 'p**ri*' p*r*m*t*r, ***rypts it usin* Strin**n*rypt*r, *n* *v*lu*t*s t** *ont*nt *s *L *. Strin**n*rypt*r us*s *rypto*r*p*i**lly w**k *l*orit*ms (**S