US Cybersecurity and Infrastructure Security Agency (CISA) added the critical flaw CVE-2018-14667 (CVSS score 9.8) affecting Red Hat JBoss RichFaces Framework to its Known Exploited Vulnerabilities Catalog.
The issue is an Expression Language (EL) injection via the UserResource resource, it affects RichFaces Framework 3.X through 3.3.4. A remote, unauthenticated attacker could exploit this vulnerability to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
The vulnerability was discovered by the security researcher Joao Filho Matos Figueiredo.