CVE-2011-4367

Currently unrated

Key Information:

Vendor: Apache
Status: Myfaces
Vendor: CVE Published:; 19 June 2014

Summary

Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.

References

http://seclists.org/fulldisclosure/2012/Feb/150

mailing-listx_refsource_FULLDISC

http://osvdb.org/show/osvdb/79002

vdb-entryx_refsource_OSVDB

https://exchange.xforce.ibmcloud.com/vulnerabilities/73100

vdb-entryx_refsource_XF

EPSS Score

11% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 19, 2014
Vulnerability Reserved
Nov 4, 2011