Description
Oracle JavaServer Faces contains multiple vulnerabilities which could allow an attacker to obtain sensitive information. Alex Kouzemtchenko and Jon Passki of Coverity Security Research Labs vulnerability report states Oracle JavaServer Faces contains the following vulnerabilities:
- Partial Directory Traversal Via Resource Identifier (CWE-22): A defect exists that allows for directory traversal within the application. The directory traversal is limited in that it cannot be used to escape from the application and access arbitrary files on the application server.
- Partial Directory Traversal Via Library Name (CWE-22). A defect exists that allows for directory traversal within the application. The directory traversal is limited in that it cannot be used to escape from the application and access arbitrary files on the application server.
- Encryption Context Parameter Incorrectly Documented (CWE-705).
- ViewState HMAC Not Verified in Constant Time (CWE-367).
Remediation
These vulnerabilities have been addressed in Oracle Critical Patch Update Advisory - October 2013. Affected users are advised to apply the recommended Critical Path updates listed in the Oracle Critical Patch Update Advisory - October 2013 for CVE-2013-3827.
References
Related Vulnerabilities
WordPress Plugin Aspose Cloud eBook Generator Arbitrary File Download (1.0)
WordPress Plugin NextGEN Gallery-WordPress Gallery Directory Traversal (2.1.9)
Joomla! Core 2.5.x Information Disclosure (2.5.0 - 2.5.3)
WordPress Plugin Product Subtitle For WooCommerce Arbitrary File Disclosure (4.1)
WordPress Plugin WP CSS 'wp-css-compress.php' Local File Disclosure (2.0.5)