{"id":"CVE-2018-14371","details":"The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.","aliases":["GHSA-43q7-q5vp-3g68"],"modified":"2026-04-11T12:27:28.171030Z","published":"2018-07-18T12:29:00.257Z","references":[{"type":"ADVISORY","url":"https://github.com/javaserverfaces/mojarra/issues/4364"},{"type":"FIX","url":"https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-ee4j/mojarra","events":[{"introduced":"0"},{"fixed":"1b434748d9239f42eae8aa7d37d7a0930c061e24"}]},{"type":"GIT","repo":"https://github.com/eclipse-ee4j/mojarra","events":[{"introduced":"0"},{"fixed":"1b434748d9239f42eae8aa7d37d7a0930c061e24"}]}],"versions":["initial-contribution"],"database_specific":{"vanir_signatures_modified":"2026-04-11T12:27:28Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14371.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.3.7"}]},{"events":[{"introduced":"0"},{"fixed":"2.3.7"}]}],"vanir_signatures":[{"target":{"file":"impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java","function":"getLocalePrefix"},"signature_type":"Function","source":"https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24","digest":{"function_hash":"78985184270963556182314007368417430050","length":731},"id":"CVE-2018-14371-049ce9b2","deprecated":false,"signature_version":"v1"},{"target":{"file":"impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java"},"signature_type":"Line","source":"https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24","digest":{"line_hashes":["70322480537739052774084584317398054035","231251267116386616632618780783746322157","291069530633298000581908944237761418377","288578048813723010792164654894819094770"],"threshold":0.9},"id":"CVE-2018-14371-93e1e03b","deprecated":false,"signature_version":"v1"},{"target":{"file":"impl/src/main/java/com/sun/faces/application/applicationimpl/InstanceFactory.java"},"signature_type":"Line","source":"https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24","digest":{"line_hashes":["308523144820732483400291549987336030538","279007306830836050829605516263463414455","204613409217991402601037419095691594240","123030983730660267491737243797690444936"],"threshold":0.9},"id":"CVE-2018-14371-bfc96243","deprecated":false,"signature_version":"v1"},{"target":{"file":"impl/src/main/java/com/sun/faces/application/applicationimpl/InstanceFactory.java","function":"createComponent"},"signature_type":"Function","source":"https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24","digest":{"function_hash":"35268667866906904737243452786281145631","length":113},"id":"CVE-2018-14371-eff33215","deprecated":false,"signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}