CVE-2020-6950
Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
Una vulnerabilidad de Salto de Directorio en Eclipse Mojarra versiones anteriores a 2.3.14, permite a atacantes leer archivos arbitrarios por medio del parĂ¡metro loc o del parĂ¡metro con
A flaw was found in Eclipse Mojarra before version 2.3.14, where it is vulnerable to a path traversal flaw via the loc parameter or the con parameter. An attacker could exploit this flaw to read arbitrary files.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-01-13 CVE Reserved
- 2020-05-12 CVE Published
- 2024-08-04 CVE Updated
- 2024-11-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://github.com/eclipse-ee4j/mojarra/issues/4571 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943 | 2022-05-12 | |
| https://access.redhat.com/security/cve/CVE-2020-6950 | 2021-08-11 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1805006 | 2021-08-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eclipse Search vendor "Eclipse" | Mojarra Search vendor "Eclipse" for product "Mojarra" | < 2.3.14 Search vendor "Eclipse" for product "Mojarra" and version " < 2.3.14" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management" | 2.10.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.10.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Enterprise Default Management Search vendor "Oracle" for product "Banking Enterprise Default Management" | 2.12.0 Search vendor "Oracle" for product "Banking Enterprise Default Management" and version "2.12.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.9.0 Search vendor "Oracle" for product "Banking Platform" and version "2.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | 2.12.0 Search vendor "Oracle" for product "Banking Platform" and version "2.12.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Network Integrity Search vendor "Oracle" for product "Communications Network Integrity" | 7.3.6 Search vendor "Oracle" for product "Communications Network Integrity" and version "7.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center" | 12.0.0.3.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hyperion Calculation Manager Search vendor "Oracle" for product "Hyperion Calculation Manager" | < 11.2.8.0 Search vendor "Oracle" for product "Hyperion Calculation Manager" and version " < 11.2.8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System" | 19.0.1 Search vendor "Oracle" for product "Retail Merchandising System" and version "19.0.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Solaris Cluster Search vendor "Oracle" for product "Solaris Cluster" | 4.0 Search vendor "Oracle" for product "Solaris Cluster" and version "4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Time And Labor Search vendor "Oracle" for product "Time And Labor" | >= 12.2.6 <= 12.2.11 Search vendor "Oracle" for product "Time And Labor" and version " >= 12.2.6 <= 12.2.11" | - |
Affected
| ||||||