{"id":"CVE-2020-6950","details":"Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.","aliases":["GHSA-rpq8-mmwh-q9hm"],"modified":"2026-04-11T13:53:22.415448Z","published":"2021-06-02T16:15:08.357Z","references":[{"type":"REPORT","url":"https://github.com/eclipse-ee4j/mojarra/issues/4571"},{"type":"REPORT","url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943"},{"type":"FIX","url":"https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-ee4j/mojarra","events":[{"introduced":"0"},{"fixed":"21d2534fd2dd890f2b13ed2a5c338fc259cf7629"},{"introduced":"0"},{"last_affected":"1ffda5ff3a4690c3cf5187b12e8014f67f0d7238"},{"fixed":"cefbb9447e7be560e59da2da6bd7cb93776f7741"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.14"},{"introduced":"0"},{"last_affected":"4.0"}]}}],"versions":["2.3.3.102","4.0.0-RELEASE","initial-contribution"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"202762170446459133786542832831365494378","length":1102},"target":{"function":"findPathConsideringContracts","file":"impl/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java"},"source":"https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741","deprecated":false,"id":"CVE-2020-6950-1eec707c","signature_type":"Function"},{"signature_version":"v1","digest":{"line_hashes":["327922468738949009520665501875403193676","280557685043635043046617085761076948685","149614859817110160033372584879992522944","297201853854087322211814576356382111919"],"threshold":0.9},"target":{"file":"impl/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java"},"source":"https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741","deprecated":false,"id":"CVE-2020-6950-202fe355","signature_type":"Line"},{"signature_version":"v1","digest":{"function_hash":"164793891236731149737771110254800422834","length":753},"target":{"function":"getLocalePrefix","file":"impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java"},"source":"https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741","deprecated":false,"id":"CVE-2020-6950-3759e947","signature_type":"Function"},{"signature_version":"v1","digest":{"line_hashes":["327922468738949009520665501875403193676","280557685043635043046617085761076948685","149614859817110160033372584879992522944","297201853854087322211814576356382111919"],"threshold":0.9},"target":{"file":"impl/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java"},"source":"https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741","deprecated":false,"id":"CVE-2020-6950-704c57fb","signature_type":"Line"},{"signature_version":"v1","digest":{"function_hash":"92691063882270755257462325335720830765","length":1113},"target":{"function":"findPathConsideringContracts","file":"impl/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java"},"source":"https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741","deprecated":false,"id":"CVE-2020-6950-98954b3c","signature_type":"Function"},{"signature_version":"v1","digest":{"line_hashes":["253486533298527110866937080966426277777","317122338195403230137015481196474150719","152375503309331982662867029571013231594","254513352893525569632194411325804193789","22497317531715227242858893189539738053","110715861968449235095856192842044305285","173356329293226279929914073126971022580","118502403437888581242720108522154470160"],"threshold":0.9},"target":{"file":"impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java"},"source":"https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741","deprecated":false,"id":"CVE-2020-6950-ebac085b","signature_type":"Line"}],"vanir_signatures_modified":"2026-04-11T13:53:22Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3.0"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"12.2.6"},{"last_affected":"12.2.11"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-6950.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}