https://bugzilla.redhat.com/show_bug.cgi?id=1607709
Bug ID: 1607709
Summary: CVE-2018-14371 mojarra: Path traversal in
ResourceManager.java:getLocalePrefix() via the loc
parameter
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: sfowler(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
anstephe(a)redhat.com, apintea(a)redhat.com,
bkundal(a)redhat.com, bmaxwell(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dimitris(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, etirelli(a)redhat.com,
fgavrilo(a)redhat.com, gvarsami(a)redhat.com,
hghasemb(a)redhat.com, ibek(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jcoleman(a)redhat.com,
jolee(a)redhat.com, jondruse(a)redhat.com,
jschatte(a)redhat.com, jstastny(a)redhat.com,
kconner(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, ldimaggi(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
loleary(a)redhat.com, lpetrovi(a)redhat.com,
mgoldman(a)redhat.com, myarboro(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pgier(a)redhat.com, pjurak(a)redhat.com,
ppalaga(a)redhat.com, psakar(a)redhat.com,
pslavice(a)redhat.com, pszubiak(a)redhat.com,
puntogil(a)libero.it, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
sdaley(a)redhat.com, spinder(a)redhat.com,
sstavrev(a)redhat.com, tcunning(a)redhat.com,
theute(a)redhat.com, tkirby(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com
Eclipse Mojarra before version 2.3.5 is vulnerable to a path traversal falw in
the ResourceManager.java:getLocalePrefix() function via the loc parameter. An
attacker could exploit this to read arbitrary files.
Upstream Patch:
https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37...
--
You are receiving this mail because:
You are on the CC list for the bug.