[ https://issues.redhat.com/browse/WFLY-13439?page=com.atlassian.jira.plugi... ] Farah Juma updated WFLY-13439: ------------------------------ Description: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 https://bugzilla.redhat.com/show_bug.cgi?id=1805006 This was already fixed upstream: https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37... https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6b... was: Security Tracking Issue Do not make this issue public. Impact: Moderate Public Date: 20-Feb-2020 Resolve Bug By: 19-Feb-2021 In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug. Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9RBqB Flaw: ----- CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 https://bugzilla.redhat.com/show_bug.cgi?id=1805006 Eclipse Mojarra before version 2.3.14 is vulnerable to a path traversal flaw via either the loc parameter or the con parameter. An attacker could exploit this to read arbitrary files. It was reported as CVE-2019-0199, but it was an incomplete fix. Upstream Patch: https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37... https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6b... -- This message was sent by Atlassian Jira (v7.13.8#713008)