CVE-2018-14371

Name of the Vulnerable Software and Affected Versions Eclipse Mojarra versions prior to 2.3.7

Description The issue concerns the getLocalePrefix function in ResourceManager.java, which is affected by a directory traversal vulnerability via the loc parameter. This allows a remote attacker to download configuration files or Java bytecodes from applications. The vulnerability is related to incorrect restriction of a directory path name with limited access, enabling an attacker to gain unauthorized access to protected information.

Recommendations For Eclipse Mojarra versions prior to 2.3.7, update to version 2.3.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the getLocalePrefix function in ResourceManager.java to minimize the risk of exploitation. Avoid using the loc parameter in vulnerable API endpoints until the issue is resolved.