Multiple path traversal flaws where found in Mojarra JSF2 implementation for identifying resources by name or from libraries. An unauthenticated remote attacker can use these flaws to gather otherwise undisclosed information from within an application's root. References: [1] http://security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html [2] http://www.kb.cert.org/vuls/id/526012 [3] http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3827 Affects: 2.0 - 2.1.18 Fixed In: 2.1.19 Upstream Fix commit: https://java.net/projects/mojarra/sources/svn/revision/11603 https://java.net/projects/mojarra/sources/svn/revision/11606
This issue has been addressed in following products: Red Hat JBoss Data Grid 6.2.0 Via RHSA-2014:0029 https://rhn.redhat.com/errata/RHSA-2014-0029.html