oss-sec mailing list archives

CVE request: Mojarra allows deployed web applications to read FacesContext from other applications

From: David Jorm <djorm () redhat com>
Date: Wed, 06 Jun 2012 22:02:02 -0400 (EDT)

Could a CVE please be assigned for this issue:

It was found that in Mojarra, the FacesContext that is made available during application startup is held in a 
ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JSF WAR calls 
FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and 
thus get access to the other WAR's resources.

References:
Upstream Mojarra bug: http://java.net/jira/browse/JAVASERVERFACES-2436
Bug for JBoss-specific impacts: https://issues.jboss.org/browse/JBPAPP-9197

Thanks
-- 
David Jorm / Red Hat Security Response Team

Current thread:

CVE request: Mojarra allows deployed web applications to read FacesContext from other applications David Jorm (Jun 06)
- Re: CVE request: Mojarra allows deployed web applications to read FacesContext from other applications Kurt Seifried (Jun 06)