CVE-2018-14371
Description
The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in Eclipse Mojarra before 2.3.7 allows remote attackers to download configuration files or Java bytecodes via the `loc` parameter.
Vulnerability
A directory traversal vulnerability exists in the getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before version 2.3.7. The function does not properly validate the loc request parameter, allowing an attacker to supply path traversal sequences (e.g., ../) to read arbitrary files outside the intended directory. Affected versions are all Eclipse Mojarra releases prior to 2.3.7 [1][2][3].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to an application using the vulnerable Mojarra library. The attacker must be able to supply the loc parameter in the request, typically via a query string or POST body. No authentication is required; the attack is performed remotely over the network. The fix added a check using nameContainsForbiddenSequence() to reject inputs containing traversal sequences [3].
Impact
Successful exploitation allows a remote, unauthenticated attacker to download arbitrary files from the server, including configuration files and Java bytecode (.class files). This can lead to disclosure of sensitive information such as database credentials, application secrets, or intellectual property contained in the source code. The impact is limited to file read; the vulnerability does not provide code execution [1][2].
Mitigation
Upgrade to Eclipse Mojarra version 2.3.7 or later, which was released on 2018-07-16. The commit [3] implements the fix by adding a validation check in getLocalePrefix(). As a workaround, applications can filter the loc parameter at the web server or reverse proxy layer to reject path traversal sequences. No workaround is provided in the Mojarra library itself for earlier versions [2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.glassfish:mojarra-parentMaven | < 2.3.7 | 2.3.7 |
Affected products
2- Range: <2.3.7
Patches
11b434748d923fixing CTS failure issue in master branch
2 files changed · +5 −1
impl/src/main/java/com/sun/faces/application/applicationimpl/InstanceFactory.java+4 −0 modified@@ -288,6 +288,10 @@ public UIComponent createComponent(FacesContext context, Resource componentResou } public UIComponent createComponent(FacesContext context, String componentType, String rendererType) { + + notNull(CONTEXT, context); + notNull(COMPONENT_TYPE, componentType); + return createComponentApplyAnnotations(context, componentType, rendererType, true); }
impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java+1 −1 modified@@ -565,7 +565,7 @@ private String getLocalePrefix(FacesContext context) { localePrefix = context.getExternalContext().getRequestParameterMap().get("loc"); - if(localePrefix != null){ + if(localePrefix != null && !nameContainsForbiddenSequence(localePrefix)){ return localePrefix; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-43q7-q5vp-3g68ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14371ghsaADVISORY
- github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24ghsax_refsource_CONFIRMWEB
- github.com/eclipse-ee4j/mojarra/pull/4384ghsaWEB
- github.com/javaserverfaces/mojarra/issues/4364mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.