Oracle JavaServer Faces Multiple Partial Directory Traversals

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

A Java application hosted on the remote web server is affected by
multiple partial directory traversal vulnerabilities.

Description :

The remote web server contains a JavaServer Faces application that is
affected by multiple partial directory traversal vulnerabilities :

- A defect exists in the handling of a resource identifier
that allows for directory traversal within the
application.

- A defect exists in the handling of a library name that
allows for directory traversal within the application.

Note that the application may also be affected by a ViewState HMAC
non-constant verification weakness
however, Nessus has not tested for
this.

Note that this plugin will only report the first vulnerable
application.

See also :

http://www.nessus.org/u?5de4499a
http://www.nessus.org/u?ac29c174

Solution :

Install the patch per the instructions in the vendor's advisory.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 70963 ()

Bugtraq ID: 63052

CVE ID: CVE-2013-3827