Paul Nicolucci

**Name of the Vulnerable Software and Affected Versions** Apache MyFaces Core versions 2.0.x through 2.0.11 Apache MyFaces Core versions 2.1.x through 2.1.5 **Description** Multiple directory traversal issues in Apache MyFaces Core allow remote attackers to read arbitrary files. This is achieved by including a `..` (dot dot) in the `ln` parameter to the `faces/javax.faces.resource/web.xml` endpoint or in the `PATH INFO` to the `faces/javax.faces.resource/` endpoint. **Recommendations** For Apache MyFaces Core versions 2.0.x through 2.0.11, update to version 2.0.12 or later. For Apache MyFaces Core versions 2.1.x through 2.1.5, update to version 2.1.6 or later.