CVE-2012-2672
Published: 17 June 2012
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
Notes
Author | Note |
---|---|
ebarretto | According to Debian: Only affected in combination with EAP6/AS7 application servers, not shipped in Debian |
Priority
Status
Package | Release | Status |
---|---|---|
mojarra Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(2.2.8-5)
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(2.2.8-6)
|
|
hardy |
Does not exist
|
|
lucid |
Does not exist
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
(2.2.8-2)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
References
- https://issues.jboss.org/browse/JBPAPP-9197
- http://xforce.iss.net/xforce/xfdb/76179
- http://www.openwall.com/lists/oss-security/2012/06/07/3
- http://www.openwall.com/lists/oss-security/2012/06/07/2
- http://secunia.com/advisories/49284
- http://java.net/jira/browse/JAVASERVERFACES-2436
- https://www.cve.org/CVERecord?id=CVE-2012-2672
- NVD
- Launchpad
- Debian