Miggo Logo

CVE-2018-14371: Path Traversal in Eclipse Mojarra

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.84997%
Published
5/14/2022
Updated
7/24/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.glassfish:mojarra-parentmaven< 2.3.72.3.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the getLocalePrefix function's handling of the 'loc' parameter. The commit 1b43474 shows the fix added a 'nameContainsForbiddenSequence' check specifically for the localePrefix value derived from this parameter. The CVE description explicitly mentions this function as the entry point for directory traversal via uncontrolled user input. The pre-patch code lacked path normalization/validation, making it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **tLo**l*Pr**ix *un*tion in R*sour**M*n***r.j*v* in **lips* Moj*rr* ***or* *.*.* is *****t** *y *ir**tory Tr*v*rs*l vi* t** lo* p*r*m*t*r. * r*mot* *tt**k*r **n *ownlo** *on*i*ur*tion *il*s or J*v* *yt**o**s *rom *ppli**tions.

Reasoning

T** vuln*r**ility st*ms *rom t** `**tLo**l*Pr**ix` *un*tion's **n*lin* o* t** 'lo*' p*r*m*t*r. T** *ommit ******* s*ows t** *ix ***** * 'n*m**ont*ins*or*i***nS*qu*n**' ****k sp**i*i**lly *or t** `lo**l*Pr**ix` v*lu* **riv** *rom t*is p*r*m*t*r. T** *