製品・ソフトウェアに関する情報

JVN脆弱性詳細

Eclipse Mojarra におけるパストラバーサルの脆弱性

Title	Eclipse Mojarra におけるパストラバーサルの脆弱性
Summary	Eclipse Mojarra には、パストラバーサルの脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 13, 2020, midnight
Registration Date	Nov. 22, 2021, 3:59 p.m.
Last Update	Nov. 22, 2021, 3:59 p.m.

Affected System

日立

uCosminexus Application Server

uCosminexus Application Server(64)

uCosminexus Application Server-R

uCosminexus Developer

uCosminexus Primary Server Base

uCosminexus Primary Server Base(64)

uCosminexus Service Architect

uCosminexus Service Platform

uCosminexus Service Platform(64)

Eclipse Foundation

Mojarra 2.3.14 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-6950	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6950
National Vulnerability Database (NVD)
2	CVE-2020-6950	https://nvd.nist.gov/vuln/detail/CVE-2020-6950

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
Bugzilla
1	Bug 550943	https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943
GitHub
2	Multiple Path Traversal security issues	https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
3	Multiple Path Traversal security issues #4571	https://github.com/eclipse-ee4j/mojarra/issues/4571
Hitachi Software Vulnerability Information
4	hitachi-sec-2021-141	https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2021-141/index.html
ソフトウェア製品セキュリティ情報
5	hitachi-sec-2021-141	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2021-141/index.html

Change Log

No	Changed Details	Date of change
1	[2021年11月22日] 掲載	Nov. 22, 2021, 2:55 p.m.

NVD Vulnerability Information

CVE-2020-6950

Summary	Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
Publication Date	June 3, 2021, 1:15 a.m.
Registration Date	June 3, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 2:36 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:eclipse:mojarra::::::::					2.3.14

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:oracle:solaris_cluster:4.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
cpe:2.3:a:oracle:communications_network_integrity:7.3.6:::::::*
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:::::::*
cpe:2.3:a:oracle:time_and_labor::::::::	12.2.6	12.2.11
cpe:2.3:a:oracle:hyperion_calculation_manager::::::::				11.2.8.0

Related information, measures and tools

No	URL	タグ
1	https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943	Issue Tracking Vendor Advisory
2	https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943	Issue Tracking Vendor Advisory
3	https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741	Patch Third Party Advisory
4	https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741	Patch Third Party Advisory
5	https://github.com/eclipse-ee4j/mojarra/issues/4571	Issue Tracking Third Party Advisory
6	https://github.com/eclipse-ee4j/mojarra/issues/4571	Issue Tracking Third Party Advisory
7	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
8	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
9	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
10	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
11	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
12	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:oracle:solaris_cluster:4.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
cpe:2.3:a:oracle:communications_network_integrity:7.3.6:::::::*
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:::::::*
cpe:2.3:a:oracle:time_and_labor::::::::	12.2.6	12.2.11
cpe:2.3:a:oracle:hyperion_calculation_manager::::::::				11.2.8.0