CVE-2012-2672

NameCVE-2012-2672
DescriptionOracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: local)
Debian Bugs677194

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mojarra (PTS)jessie2.2.8-1fixed
stretch2.2.8-3fixed
buster, sid2.2.8-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mojarrasource(unstable)2.2.8-1low677194
mojarrasourcesqueeze(not affected)
mojarrasourcewheezy(not affected)

Notes

[wheezy] - mojarra <not-affected> (Only affected in combination with EAP6/AS7 application servers, not shipped in Debian)
[squeeze] - mojarra <not-affected> (Only affected in combination with EAP6/AS7 application servers, not shipped in Debian)

Search for package or bug name: Reporting problems