oss-sec mailing list archives
Re: CVE request: Mojarra allows deployed web applications to read FacesContext from other applications
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 06 Jun 2012 20:55:02 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/06/2012 08:02 PM, David Jorm wrote:
Could a CVE please be assigned for this issue: It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JSF WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. References: Upstream Mojarra bug: http://java.net/jira/browse/JAVASERVERFACES-2436 Bug for JBoss-specific impacts: https://issues.jboss.org/browse/JBPAPP-9197 Thanks
Please use CVE-2012-2672 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0BgFAAoJEBYNRVNeJnmTQ8MP/36Pjn/wI3mr4cPIlKZnorx+ DtUT0sgolqZlzISvDewIIWE3lGBx3/q5Wcl7We0Pbs8C3zgU6zDMnEAp2hCoibTR qxQji5sJVVMOucQg1qoleeINPNoM0zNFJzkTf0dI+UrI+DoFjOi3uEQPxF11bOQi inDagx6Rws0+pX5xNEpakQeX/WHh8MoB6e0tr2bPVOgWerXIMvgTVPmXKTtjH0gw JuPd0EOcYHSBy2I5XM2tDORm/va/wOPn/TIqOQeH/dSA/iX13eVaVy+SomsvHpkB ioseSDHHS4v+7/V/lCYUOo05f8COMT4HYpVA85hBQP5vwwX1afXV213AkfPlpGB4 kM3gcwr+v/gL9CmPyKFCLBmbHgdBMxGVk7AbSmvvZ2F52E7zEYGIR+CNZLz55aC8 OoR20rK4umqJEfraBMa4zOnFBuE9twSxO7kdCGDAJcnqTPKkBo/tQKqmViKPvOph 5DhRCWKQeWitnLW/ZNFQfTa4ZLfvsH1BERntSeWeFpwsaY/t0HqTw+5wcdBRqAiY ZXic3ZTmidxAnn/hhrF/8gEERlgp7r4TqcTX+16XE0rfyqsoB2hr+BfUy2O30nX8 0An4qf9cdYLhDJO4bURpMT5zGUZ2ZKyk4SuZogj3/PJBGAecgIv11TGMhk8Ufzhv DlDOg3pw0Jr6pkUraOV8 =6u/u -----END PGP SIGNATURE-----
Current thread:
- CVE request: Mojarra allows deployed web applications to read FacesContext from other applications David Jorm (Jun 06)
- Re: CVE request: Mojarra allows deployed web applications to read FacesContext from other applications Kurt Seifried (Jun 06)