550943 – Mojarra multiple directory traversal issues

Bug 550943 - Mojarra multiple directory traversal issues

Summary: Mojarra multiple directory traversal issues

Status:	CLOSED FIXED

Alias:	None

Product:	Community
Classification:	Eclipse Foundation
Component:	Vulnerability Reports (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Security vulnerabilitied reported against Eclipse projects
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2019-09-10 13:44 EDT by An Trinh
Modified:	2021-08-16 18:44 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description An Trinh

2019-09-10 13:44:15 EDT

The issues have been reported previously on https://github.com/eclipse-ee4j/mojarra/issues/4571. Each of them could lead to disclosure of restricted application files e.g. WEB-INF/web.xml via HTTP requests.

Comment 1 Eclipse Webmaster

2019-09-17 08:29:23 EDT

CC'ing the project lead.

-M.

Comment 2 arjan tijms

2019-09-18 05:44:43 EDT

A commit was done here: https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741

We'll add a test later today to assert the mentioned vulnerabilities as listed here indeed don't happen anymore: https://github.com/eclipse-ee4j/mojarra/issues/4571

Comment 3 Wayne Beaton

2019-09-18 10:47:26 EDT

If the project team believes that a CVE is required, please follow the instructions in the handbook.

https://www.eclipse.org/projects/handbook/#vulnerability-cve

Comment 4 An Trinh

2019-09-18 13:22:22 EDT

Fix looks good to me. Thank you Arjan & Wayne.

FWIW the vulnerable locale code was added recently on 2017 (2.3) but the contract one exists from as far back as 2013 (2.2). Random research on the internet yields a pretty large impact.

Comment 5 Wayne Beaton

2019-10-02 15:23:32 EDT

Arjan (or any other project committer), if you feel that a CVE is warranted here, please follow the steps outlined in the handbook.

> https://www.eclipse.org/projects/handbook/#vulnerability-cve

The words "large impact" makes me think that one is warranted.

Comment 6 An Trinh

2019-11-22 03:04:06 EST

Arjan, could you help with obtaining a CVE for this please? I believe Mojarra users need to be aware of this.

Comment 7 Wayne Beaton

2020-01-10 11:36:52 EST

Arjan, I need a resolution here. Do we assign a CVE or not?

If yes, I need some information from you.

https://www.eclipse.org/projects/handbook/#vulnerability-cve

Comment 8 arjan tijms

2020-01-10 12:08:12 EST

Sorry for not replying earlier. Let's assign the CVE and go through the steps. I'll look at your link to see what's exactly needed.

Comment 9 Wayne Beaton

2020-01-13 15:28:40 EST

(In reply to arjan tijms from comment #8)
> Sorry for not replying earlier. Let's assign the CVE and go through the
> steps. I'll look at your link to see what's exactly needed.

I'll assign the CVE when you've provided the information that I need to push the record to the central authority. If I assign the CVE in advance, people will start using it, causing confusion. Do you have an ETA?

Comment 10 An Trinh

2020-01-15 22:14:18 EST

Oracle has assigned CVE-2020-6950 for this issue in the Mojarra component in their Weblogic Server product. I believe we can use the same one to address this issue in general, so we can close this now.