CVE-2011-4367 Information

Description

Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.

Reference

http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/3C4F33ED1F.407000740apache.org3E http://osvdb.org/show/osvdb/79002 http://seclists.org/fulldisclosure/2012/Feb/150 http://secunia.com/advisories/47973 http://www.securityfocus.com/bid/51939 https://exchange.xforce.ibmcloud.com/vulnerabilities/73100