CVE-2012-2672 Information

Description

Oracle Mojarra 2.1.7 does not properly \clean up\ the FacesContext reference during startup which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.

Reference

http://java.net/jira/browse/JAVASERVERFACES-2436 http://rhn.redhat.com/errata/RHSA-2012-1591.html http://rhn.redhat.com/errata/RHSA-2012-1592.html http://rhn.redhat.com/errata/RHSA-2012-1594.html http://secunia.com/advisories/49284 http://secunia.com/advisories/51607 http://www.openwall.com/lists/oss-security/2012/06/07/2 http://www.openwall.com/lists/oss-security/2012/06/07/3 https://exchange.xforce.ibmcloud.com/vulnerabilities/76179 https://issues.jboss.org/browse/JBPAPP-9197