Homepage
About Snyk

org.apache.myfaces.core:myfaces-impl@2.1.0 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.myfaces.core:myfaces-impl package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Information Exposure

org.apache.myfaces.core:myfaces-impl Affected versions of the package are vulnerable to Information Exposure. If a submit outcome includes both faces-redirect=true and includeViewParams=true (or faces-include-view-params=true alias) it is possible to inject EL expressions directly into input fields mapped as view parameters.

[2.0.0,2.0.11) [2.1.0,2.1.5)
  • M
Directory Traversal

org.apache.myfaces.core:myfaces-impl is a The private implementation classes of the Apache MyFaces Core JSF-2.3 Implementation

Affected versions of this package are vulnerable to Directory Traversal. It allows remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.

How to fix Directory Traversal?

Upgrade org.apache.myfaces.core:myfaces-impl to version 2.0.12, 2.1.5 or higher.

[2.0.0,2.0.12) [2.1.0,2.1.5)
Go back to all versions of this package