Oracle JavaServer Faces Multiple Partial Directory Traversals

medium Nessus Plugin ID 70963

Synopsis

A Java application hosted on the remote web server is affected by multiple partial directory traversal vulnerabilities.

Description

The remote web server contains a JavaServer Faces application that is affected by multiple partial directory traversal vulnerabilities :

- A defect exists in the handling of a resource identifier that allows for directory traversal within the application.

- A defect exists in the handling of a library name that allows for directory traversal within the application.

Note that the application may also be affected by a ViewState HMAC non-constant verification weakness; however, Nessus has not tested for this.

Note that this plugin will only report the first vulnerable application.

Solution

Install the patch per the instructions in the vendor's advisory.

See Also

http://www.nessus.org/u?5de4499a

http://www.nessus.org/u?ac29c174

Plugin Details

Severity: Medium

ID: 70963

File Name: oracle_javaserver_faces_directory_traversal.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 11/19/2013

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:oracle:fusion_middleware

Exploit Available: true

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 10/14/2013

Vulnerability Publication Date: 10/15/2013

Reference Information

CVE: CVE-2013-3827

BID: 63052

CERT: 526012