CVE-2011-4367 — MEDIUM (5.0)

Q: How severe is CVE-2011-4367?

CVE-2011-4367 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-4367?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Myfaces.

Vulnerability Description

Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.

CVSS Score

5.0

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Myfaces	>= 2.0.1, <= 2.0.11

Related Weaknesses (CWE)

CWE-22

References

http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1ExploitVendor Advisory
http://osvdb.org/show/osvdb/79002Broken Link
http://seclists.org/fulldisclosure/2012/Feb/150ExploitMailing ListThird Party Advisory
http://secunia.com/advisories/47973Third Party Advisory
http://www.securityfocus.com/bid/51939ExploitThird Party AdvisoryVDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/73100Third Party AdvisoryVDB Entry
http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1ExploitVendor Advisory
http://osvdb.org/show/osvdb/79002Broken Link
http://seclists.org/fulldisclosure/2012/Feb/150ExploitMailing ListThird Party Advisory
http://secunia.com/advisories/47973Third Party Advisory
http://www.securityfocus.com/bid/51939ExploitThird Party AdvisoryVDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/73100Third Party AdvisoryVDB Entry

FAQ

What is CVE-2011-4367?

CVE-2011-4367 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .....

How severe is CVE-2011-4367?

CVE-2011-4367 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-4367?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Myfaces.