CVE-2011-4367 – org.apache.myfaces.core:myfaces-impl

Package

Manager: maven
Name: org.apache.myfaces.core:myfaces-impl
Vulnerable Version: >=2.0.0 <2.0.12 || >=2.1.0 <2.1.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.86318 pctl0.99365

Details

Apache MyFaces Vulnerable to Path Traversal Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a `..` (dot dot) in the (1) ln parameter to `faces/javax.faces.resource/web.xml` or (2) the `PATH_INFO` to `faces/javax.faces.resource/`.

Metadata

Created: 2022-05-13T01:24:34Z
Modified: 2023-08-16T23:00:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gjfx-9wx3-j6r7/GHSA-gjfx-9wx3-j6r7.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-gjfx-9wx3-j6r7
Finding: F063
Auto approve: 1