CVE-2012-2672 - Waldenses Typists

Description

Oracle Mojarra 2.1.7 does not properly \clean up\ the FacesContext reference during startup which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.

Reference

http://java.net/jira/browse/JAVASERVERFACES-2436 http://www.openwall.com/lists/oss-security/2012/06/07/3 http://www.openwall.com/lists/oss-security/2012/06/07/2 http://secunia.com/advisories/49284 https://issues.jboss.org/browse/JBPAPP-9197 http://rhn.redhat.com/errata/RHSA-2012-1592.html http://rhn.redhat.com/errata/RHSA-2012-1591.html http://secunia.com/advisories/51607 http://rhn.redhat.com/errata/RHSA-2012-1594.html https://exchange.xforce.ibmcloud.com/vulnerabilities/76179