CVE-2011-4367 — Apache MyFaces Vulnerable to Path Traversal

Description

Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a `..` (dot dot) in the (1) ln parameter to `faces/javax.faces.resource/web.xml` or (2) the `PATH_INFO` to `faces/javax.faces.resource/`.

How to fix CVE-2011-4367

To remediate CVE-2011-4367, upgrade the affected package to a fixed version below.

Maven/org.apache.myfaces.core:myfaces-impl—upgrade to 2.0.12 or later

Is CVE-2011-4367 being exploited?

Likely — EPSS is 85.9%, placing CVE-2011-4367 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.0.0, < 2.0.12

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4367
WEBmail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1F.4070007%40apache.org%3E
WEBseclists.org/fulldisclosure/2012/Feb/150
WEBexchange.xforce.ibmcloud.com/vulnerabilities/73100