Eclipse Mojarra before version 2.3.14 is vulnerable to a path traversal flaw via either the loc parameter or the con parameter. An attacker could exploit this to read arbitrary files. It was reported as CVE-2019-0199, but it was an incomplete fix. Upstream Patch: https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24 https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
External References: https://github.com/javaserverfaces/mojarra/issues/4364 https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24 https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943 https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741 https://github.com/eclipse-ee4j/mojarra/issues/4571
*** Bug 1805008 has been marked as a duplicate of this bug. ***
Acknowledgments: Name: An Trinh
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notesfor more details.
Mitigation: There is no currently known mitigation for this flaw.
This issue has been addressed in the following products: Red Hat Single Sign On 7.3 Via RHSA-2020:2113 https://access.redhat.com/errata/RHSA-2020:2113
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-6950
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905
This issue has been addressed in the following products: EAP-CD 20 Tech Preview Via RHSA-2020:3585 https://access.redhat.com/errata/RHSA-2020:3585
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:3637 https://access.redhat.com/errata/RHSA-2020:3637
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:3639 https://access.redhat.com/errata/RHSA-2020:3639
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:3638 https://access.redhat.com/errata/RHSA-2020:3638
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:3642 https://access.redhat.com/errata/RHSA-2020:3642
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140