CVE-2011-4367: Path Traversal
First published: Thu Jun 19 2014(Updated: )
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache MyFaces | >=2.0.1<=2.0.11 | |
| Apache MyFaces | >=2.1.0<=2.1.5 | |
| maven/org.apache.myfaces.core:myfaces-impl | >=2.1.0<2.1.6 | 2.1.6 |
| maven/org.apache.myfaces.core:myfaces-impl | >=2.0.0<2.0.12 | 2.0.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://osvdb.org/show/osvdb/79002
- http://www.securityfocus.com/bid/51939
- http://secunia.com/advisories/47973
- http://seclists.org/fulldisclosure/2012/Feb/150
- http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1F.4070007%40apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/73100
- https://nvd.nist.gov/vuln/detail/CVE-2011-4367
- https://web.archive.org/web/20120213042504/http://www.securityfocus.com/bid/51939
- https://github.com/advisories/GHSA-gjfx-9wx3-j6r7 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2011-4367?
CVE-2011-4367 is considered a high severity vulnerability due to its potential for directory traversal allowing unauthorized file access.
How do I fix CVE-2011-4367?
To fix CVE-2011-4367, upgrade to Apache MyFaces Core version 2.0.12 or 2.1.6 or later.
What software is affected by CVE-2011-4367?
CVE-2011-4367 affects Apache MyFaces Core versions 2.0.x before 2.0.12 and 2.1.x before 2.1.6.
Can CVE-2011-4367 allow remote code execution?
While CVE-2011-4367 primarily allows unauthorized file access, it may lead to further vulnerabilities and potential remote code execution in certain conditions.
How can I detect CVE-2011-4367 in my application?
To detect CVE-2011-4367, review your application's MyFaces version and check for any instances of directory traversal patterns in your web applications.
- collector/nvd-historical
- collector/github-advisory-latest
- alias/GHSA-gjfx-9wx3-j6r7
- alias/CVE-2011-4367
- collector/github-advisory
- collector/nvd-cve
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/apache
- canonical/apache myfaces
- version/apache myfaces/2.0.1
- version/apache myfaces/2.0.11
- version/apache myfaces/2.1.0
- version/apache myfaces/2.1.5
- package-manager/maven