High severityNVD Advisory· Published Jun 2, 2021· Updated Aug 4, 2024

CVE-2020-6950

Description

Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.

Vulnerability

Eclipse Mojarra versions before 2.3.14 contain a directory traversal vulnerability in the resource handling code. The WebappResourceHelper.findPathConsideringContracts() and ClasspathResourceHelper.findPathConsideringContracts() methods accept the con HTTP parameter without validating it for path traversal sequences like ../. Additionally, the loc parameter processing for locale prefixes was insufficiently sanitized, allowing an attacker to read arbitrary files within the application context. The issue is tracked in [1][4].

Exploitation

An attacker can send a crafted HTTP request containing a con or loc parameter with path traversal sequences (e.g., ../WEB-INF/web.xml). No authentication is required; the vulnerability is reachable under default configuration. The attacker only needs network access to the affected application server [4].

Impact

Successful exploitation allows an attacker to read arbitrary files within the application's context root, potentially exposing sensitive configuration files like WEB-INF/web.xml, source code, or credentials. This can lead to further compromise of the application and its environment [1][4].

Mitigation

Upgrade to Eclipse Mojarra version 2.3.14 or later. The fix was committed in commit cefbb9447e7be560e59da2da6bd7cb93776f7741 which introduces a nameContainsForbiddenSequence() check to reject path traversal characters in resource parameters. Users on unsupported versions (e.g., 2.3.x prior to 2.3.14) should contact their vendor for support as recommended in the project's repository [1][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.glassfish:mojarra-parentMaven	< 2.3.14	2.3.14

Affected products

Oracle Corporation/Mojarrallm-fuzzy
Range: < 2.3.14
ghsa-coords
pkg:maven/org.glassfish/mojarra-parent
Range: < 2.3.14

Patches

cefbb9447e7b

Multiple Path Traversal security issues

https://github.com/eclipse-ee4j/mojarraruolliSep 5, 2019via ghsa

commit

3 files changed · +5 −3

impl/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java+1 −1 modified

@@ -355,7 +355,7 @@ private URL findPathConsideringContracts(ClassLoader loader,
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {

impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java+3 −1 modified

@@ -351,7 +351,7 @@ private String trimLeadingSlash(String s) {
         }
     }
     
-    private static boolean nameContainsForbiddenSequence(String name) {
+    static boolean nameContainsForbiddenSequence(String name) {
         boolean result = false;
         if (name != null) {
             name = name.toLowerCase();
@@ -567,6 +567,8 @@ private String getLocalePrefix(FacesContext context) {
         
         if(localePrefix != null && !nameContainsForbiddenSequence(localePrefix)){
             return localePrefix;
+        } else {
+            localePrefix = null; 
         }
         
         String appBundleName = context.getApplication().getMessageBundle();

impl/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java+1 −1 modified

@@ -315,7 +315,7 @@ private String findPathConsideringContracts(LibraryInfo library,
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rpq8-mmwh-q9hmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-6950ghsaADVISORY
bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_MISCWEB
github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741ghsax_refsource_MISCWEB
github.com/eclipse-ee4j/mojarra/issues/4571ghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.041
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000