CVE-2012-2672

NameCVE-2012-2672
DescriptionOracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs677194

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mojarra (PTS)jessie2.2.8-1fixed
stretch2.2.8-3fixed
sid, buster, bullseye, trixie, bookworm2.2.8-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mojarrasourcesqueeze(not affected)
mojarrasourcewheezy(not affected)
mojarrasource(unstable)2.2.8-1677194

Notes

[wheezy] - mojarra <not-affected> (Only affected in combination with EAP6/AS7 application servers, not shipped in Debian)
[squeeze] - mojarra <not-affected> (Only affected in combination with EAP6/AS7 application servers, not shipped in Debian)

Search for package or bug name: Reporting problems