Bug 1038898 (CVE-2013-3827)

Summary: CVE-2013-3827 Mojarra JSF2: Multiple Information Disclosure flaws due to unsafe path traversal
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdawidow, ccoleman, dmcphers, enagai, epp-bugs, fnasser, grocha, hfnukal, huwang, jason.greene, jdg-bugs, jialiu, jpallich, lgao, lmeyer, myarboro, pcheung, theute, tkramer, ttarrant, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-15 18:33:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1038913, 1038915, 1038916    
Bug Blocks: 991853, 1035974, 1038927    

Description Arun Babu Neelicattu 2013-12-06 05:19:54 UTC 
Multiple path traversal flaws where found in Mojarra JSF2 implementation for identifying resources by name or from libraries. An unauthenticated remote attacker can use these flaws to gather otherwise undisclosed information from within an application's root.

References:
[1] http://security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html
[2] http://www.kb.cert.org/vuls/id/526012
[3] http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3827

Affects: 2.0 - 2.1.18
Fixed In: 2.1.19

Upstream Fix commit: 
https://java.net/projects/mojarra/sources/svn/revision/11603
https://java.net/projects/mojarra/sources/svn/revision/11606
Comment 6 errata-xmlrpc 2014-01-15 17:47:14 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Data Grid 6.2.0

Via RHSA-2014:0029 https://rhn.redhat.com/errata/RHSA-2014-0029.html