Apache · Apache Myfaces Core · CVE-2011-4367
**Name of the Vulnerable Software and Affected Versions**
Apache MyFaces Core versions 2.0.x through 2.0.11
Apache MyFaces Core versions 2.1.x through 2.1.5
**Description**
Multiple directory traversal issues in Apache MyFaces Core allow remote attackers to read arbitrary files. This is achieved by including a `..` (dot dot) in the `ln` parameter to the `faces/javax.faces.resource/web.xml` endpoint or in the `PATH INFO` to the `faces/javax.faces.resource/` endpoint.
**Recommendations**
For Apache MyFaces Core versions 2.0.x through 2.0.11, update to version 2.0.12 or later.
For Apache MyFaces Core versions 2.1.x through 2.1.5, update to version 2.1.6 or later.