oss-sec mailing list archives
CVE request: Mojarra allows deployed web applications to read FacesContext from other applications
From: David Jorm <djorm () redhat com>
Date: Wed, 06 Jun 2012 22:02:02 -0400 (EDT)
Could a CVE please be assigned for this issue: It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JSF WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. References: Upstream Mojarra bug: http://java.net/jira/browse/JAVASERVERFACES-2436 Bug for JBoss-specific impacts: https://issues.jboss.org/browse/JBPAPP-9197 Thanks -- David Jorm / Red Hat Security Response Team
Current thread:
- CVE request: Mojarra allows deployed web applications to read FacesContext from other applications David Jorm (Jun 06)