Vulnerability Description
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Mojarra | 2.1.7 |
References
- http://java.net/jira/browse/JAVASERVERFACES-2436Exploit
- http://rhn.redhat.com/errata/RHSA-2012-1591.html
- http://rhn.redhat.com/errata/RHSA-2012-1592.html
- http://rhn.redhat.com/errata/RHSA-2012-1594.html
- http://secunia.com/advisories/49284Vendor Advisory
- http://secunia.com/advisories/51607
- http://www.openwall.com/lists/oss-security/2012/06/07/2
- http://www.openwall.com/lists/oss-security/2012/06/07/3
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76179
- https://issues.jboss.org/browse/JBPAPP-9197
- http://java.net/jira/browse/JAVASERVERFACES-2436Exploit
- http://rhn.redhat.com/errata/RHSA-2012-1591.html
- http://rhn.redhat.com/errata/RHSA-2012-1592.html
- http://rhn.redhat.com/errata/RHSA-2012-1594.html
- http://secunia.com/advisories/49284Vendor Advisory
FAQ
What is CVE-2012-2672?
CVE-2012-2672 is a vulnerability with a CVSS score of 2.1 (LOW). Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling...
How severe is CVE-2012-2672?
CVE-2012-2672 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2672?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Mojarra.