[Bug 548244] Vulnerability within Oracle Mojarra JSF v2.2 and v2.3
| Bugzilla Link | 548244 |
| Status | NEW |
| Importance | P3 major |
| Reported | Jun 13, 2019 10:50 EDT |
| Modified | Jan 10, 2020 11:37 EDT |
| Reporter | Jean-Benjamin Rousseau |
Description
Created attachment 278927
security advisory
Dear Eclipse team,
SEC Consult is a leading consulting company for information security. During a short security crash test we have found a high-level security vulnerability within Oracle Mojarra JSF v2.2 and v2.3. The vulnerability has been reported to Oracle and is currently being fixed.
An incomplete fix has already been applied:
• https://github.com/javaserverfaces/mojarra/commit/618b35db4d0d0b09a54a5857ba34490a6963c5ab\
• https://github.com/javaserverfaces/mojarra/commit/6b8f467ac96c862364dff97655a8e4cea4ad3ec8
We just made another request for a more secure fix.
The Oracle security team told us to contact you to request a CVE ID since the issue affects the Open Source release. The security advisory with proof of concept information is attached. Could you assign a new CVE ID to this vulnerability?
Best regards,
Jean-Benjamin Rousseau
Security Consultant
--------------------------------------------------------------------
SEC Consult (Schweiz) AG
Turbinenstrasse 28 | 8005 Zurich | Switzerland
P +41 44 271 77 70 | M +41 79 109 53 22
j.rousseau@sec-consult.com
SEC DEFENCE EMERGENCY-HOTLINE: +49 30 398 202 777
ADVISOR FOR YOUR INFORMATION SECURITY.
---------------------------------------------------------------------
website | blog | twitter | xing | linkedin
Commercial register number: CH-020.3.040.983-2
Sales tax identification number: CHE-464.929.107
Management: Florian Lukavsky