|
Description
|
|
A vulnerability has been reported in Apache MyFaces, which can be exploited by malicious people to disclose certain sensitive information.
Input appended to the URL or passed via the "ln" parameter to the "javax.faces.resource" resource handler is not properly verified before being used to display files. This can be exploited to disclose the contents of certain files from local resources via directory traversal sequences.
The vulnerability is reported in versions 2.0.1 through 2.0.11 and versions 2.1.0 through 2.1.5.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
Apache MyFaces 2.0.xApache MyFaces 2.1.x
|
|
|
|
|
|
Solution
|
|
Update to version 2.0.12 or 2.1.6.
|
|
|
|
|
|
CVE
|
|
CVE-2011-4367
|
|
|
|
|
|
References
|
|
http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1F.4070007%40apache.org%3E
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
