CVE-2012-2672
low
CVSS v3
—
CVSS v2
2.1
VIR risk
2.1
Description
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-2672
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/49284
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.2.8-1 |
| debian | bullseye | fixed | 2.2.8-1 |
| debian | forky | fixed | 2.2.8-1 |
| debian | sid | fixed | 2.2.8-1 |
| debian | trixie | fixed | 2.2.8-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| oracle | mojarra | 2.1.7 | |
References
- http://java.net/jira/browse/JAVASERVERFACES-2436
- http://rhn.redhat.com/errata/RHSA-2012-1591.html
- http://rhn.redhat.com/errata/RHSA-2012-1592.html
- http://rhn.redhat.com/errata/RHSA-2012-1594.html
- http://secunia.com/advisories/49284
- http://secunia.com/advisories/51607
- http://www.openwall.com/lists/oss-security/2012/06/07/2
- http://www.openwall.com/lists/oss-security/2012/06/07/3
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76179
- https://issues.jboss.org/browse/JBPAPP-9197
- https://security-tracker.debian.org/tracker/CVE-2012-2672
Verify integrity in audit chain (admin only). AS-IS.