HIGH-LEVEL VULNERABILITY WITHIN MOJARRA JSF V2.2 #4556
Assignees
Comments
|
To reproduce the issue, please follow the steps in advisory.txt And, please use below *.war application, instead of the HelloPrimeFaces mentioned in advisory.txt . Please rename *.war.zip to *.war before deploying it. |
ruolli
changed the title
ruolli
added a commit
that referenced
this issue
May 16, 2019
Fixes #4556 : HIGH-LEVEL VULNERABILITY WITHIN MOJARRA JSF V2.2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a security bug. Please fix it in accordance with:
Http://security.us.oracle.com/doku.php?id=gps:resource:process:bugfix
Dear Oracle team,
SEC Consult is a leading consulting company for information security. During
a short security crash test we have found a high-level security vulnerability
within Oracle Mojarra JSF v2.2.
The encrypted security advisory with proof of concept information is
attached. I have also attached my public PGP and S/MIME keys for further
encrypted communication. Please provide us with an estimate on when the
vulnerability will be fixed in order to set the actual release date. Please
keep us informed if there are any changes.
Please also see our attached responsible disclosure policy (PDF) which
defines the process of publication of the security advisory. The security
advisory will be released according to the chapter 5.3, phase 3 "Public
disclosure", the latest possible release date is 50 days from now: 2019-01-11
Keep in mind that we can't give any other free support besides providing the
security advisory information.
Best regards,
Jean-Benjamin Rousseau
Security Consultant
The text was updated successfully, but these errors were encountered: