Command injection Affecting org.apache.deltaspike.modules:deltaspike-jsf-module-impl package, versions [,1.9.3)

  • Attack Complexity


  • User Interaction


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    19 Mar 2020

  • disclosed

    19 Mar 2020

  • credit

    Christian Beikov, Matthias Walliczek

How to fix?

Upgrade org.apache.deltaspike.modules:deltaspike-jsf-module-impl to version 1.9.3 or higher.


org.apache.deltaspike.modules:deltaspike-jsf-module-impl is a suite of portable CDI Extensions intended to make application development easier when working with CDI and Java EE.

Affected versions of this package are vulnerable to Command injection in windowhandler.js. This is only possible if a developer selected the ClientSideWindowStrategy which is not the default setting.