CVE-2018-14371

The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.

Database specific

{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "2.3.7"
                }
            ],
            "cpes": [
                "cpe:2.3:a:eclipse:mojarra:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "eclipse:mojarra",
            "source": "CPE_RANGE"
        },
        {
            "extracted_events": [
                {
                    "fixed": "2.3.7"
                }
            ],
            "source": "DESCRIPTION"
        }
    ]
}

References

Affected packages

Git / github.com/eclipse-ee4j/mojarra

Affected ranges

Type

GIT

Repo

https://github.com/eclipse-ee4j/mojarra

Events

Introduced

Fixed

1b434748d9239f42eae8aa7d37d7a0930c061e24

Database specific

{
    "source": "REFERENCES"
}

Affected versions

Other

initial-contribution

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "78985184270963556182314007368417430050",
            "length": 731.0
        },
        "id": "CVE-2018-14371-049ce9b2",
        "signature_version": "v1",
        "target": {
            "file": "impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java",
            "function": "getLocalePrefix"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24"
    },
    {
        "digest": {
            "line_hashes": [
                "70322480537739052774084584317398054035",
                "231251267116386616632618780783746322157",
                "291069530633298000581908944237761418377",
                "288578048813723010792164654894819094770"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2018-14371-93e1e03b",
        "signature_version": "v1",
        "target": {
            "file": "impl/src/main/java/com/sun/faces/application/resource/ResourceManager.java"
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24"
    },
    {
        "digest": {
            "line_hashes": [
                "308523144820732483400291549987336030538",
                "279007306830836050829605516263463414455",
                "204613409217991402601037419095691594240",
                "123030983730660267491737243797690444936"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2018-14371-bfc96243",
        "signature_version": "v1",
        "target": {
            "file": "impl/src/main/java/com/sun/faces/application/applicationimpl/InstanceFactory.java"
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24"
    },
    {
        "digest": {
            "function_hash": "35268667866906904737243452786281145631",
            "length": 113.0
        },
        "id": "CVE-2018-14371-eff33215",
        "signature_version": "v1",
        "target": {
            "file": "impl/src/main/java/com/sun/faces/application/applicationimpl/InstanceFactory.java",
            "function": "createComponent"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-14371.json"

vanir_signatures_modified

"2026-05-30T12:22:40Z"