GHSA-vp6r-9m58-5xv8: OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request
URL containing an EL expression in the resource name, which is evaluated server-side.
The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.
Applications using CDNResourceHandler without wildcard mappings (i.e. only explicit resource-to-URL mappings) are not affected.
References
Code Behaviors & Features
Detect and mitigate GHSA-vp6r-9m58-5xv8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →