Community
Participate
Working Groups
The issues have been reported previously on https://github.com/eclipse-ee4j/mojarra/issues/4571. Each of them could lead to disclosure of restricted application files e.g. WEB-INF/web.xml via HTTP requests.
CC'ing the project lead. -M.
A commit was done here: https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741 We'll add a test later today to assert the mentioned vulnerabilities as listed here indeed don't happen anymore: https://github.com/eclipse-ee4j/mojarra/issues/4571
If the project team believes that a CVE is required, please follow the instructions in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability-cve
Fix looks good to me. Thank you Arjan & Wayne. FWIW the vulnerable locale code was added recently on 2017 (2.3) but the contract one exists from as far back as 2013 (2.2). Random research on the internet yields a pretty large impact.
Arjan (or any other project committer), if you feel that a CVE is warranted here, please follow the steps outlined in the handbook. > https://www.eclipse.org/projects/handbook/#vulnerability-cve The words "large impact" makes me think that one is warranted.
Arjan, could you help with obtaining a CVE for this please? I believe Mojarra users need to be aware of this.
Arjan, I need a resolution here. Do we assign a CVE or not? If yes, I need some information from you. https://www.eclipse.org/projects/handbook/#vulnerability-cve
Sorry for not replying earlier. Let's assign the CVE and go through the steps. I'll look at your link to see what's exactly needed.
(In reply to arjan tijms from comment #8) > Sorry for not replying earlier. Let's assign the CVE and go through the > steps. I'll look at your link to see what's exactly needed. I'll assign the CVE when you've provided the information that I need to push the record to the central authority. If I assign the CVE in advance, people will start using it, causing confusion. Do you have an ETA?
Oracle has assigned CVE-2020-6950 for this issue in the Mojarra component in their Weblogic Server product. I believe we can use the same one to address this issue in general, so we can close this now.