[java-sig-commits] [Bug 1607709] New: CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter

https://bugzilla.redhat.com/show_bug.cgi?id=1607709 Bug ID: 1607709 Summary: CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: sfowler(a)redhat.com CC: aileenc(a)redhat.com, alazarot(a)redhat.com, anstephe(a)redhat.com, apintea(a)redhat.com, bkundal(a)redhat.com, bmaxwell(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, csutherl(a)redhat.com, darran.lofthouse(a)redhat.com, dimitris(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, etirelli(a)redhat.com, fgavrilo(a)redhat.com, gvarsami(a)redhat.com, hghasemb(a)redhat.com, ibek(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jawilson(a)redhat.com, jcoleman(a)redhat.com, jolee(a)redhat.com, jondruse(a)redhat.com, jschatte(a)redhat.com, jstastny(a)redhat.com, kconner(a)redhat.com, krathod(a)redhat.com, kverlaen(a)redhat.com, ldimaggi(a)redhat.com, lef(a)fedoraproject.org, lgao(a)redhat.com, loleary(a)redhat.com, lpetrovi(a)redhat.com, mgoldman(a)redhat.com, myarboro(a)redhat.com, nwallace(a)redhat.com, paradhya(a)redhat.com, pgier(a)redhat.com, pjurak(a)redhat.com, ppalaga(a)redhat.com, psakar(a)redhat.com, pslavice(a)redhat.com, pszubiak(a)redhat.com, puntogil(a)libero.it, rnetuka(a)redhat.com, rrajasek(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, rsynek(a)redhat.com, rwagner(a)redhat.com, rzhang(a)redhat.com, sdaley(a)redhat.com, spinder(a)redhat.com, sstavrev(a)redhat.com, tcunning(a)redhat.com, theute(a)redhat.com, tkirby(a)redhat.com, twalsh(a)redhat.com, vhalbert(a)redhat.com, vtunka(a)redhat.com Eclipse Mojarra before version 2.3.5 is vulnerable to a path traversal falw in the ResourceManager.java:getLocalePrefix() function via the loc parameter. An attacker could exploit this to read arbitrary files. Upstream Patch: https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37... -- You are receiving this mail because: You are on the CC list for the bug.