Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2020-6950

CVE-2020-6950: Eclipse Mojarra Path Traversal Flaw

CVE-2020-6950 is a path traversal vulnerability in Eclipse Mojarra that allows attackers to read arbitrary files via the loc or con parameter. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2020-6950 Overview

CVE-2020-6950 is a directory traversal vulnerability in Eclipse Mojarra, the reference implementation of JavaServer Faces (JSF). Versions prior to 2.3.14 allow unauthenticated attackers to read arbitrary files on the server by supplying crafted values to the loc parameter or con parameter. The flaw maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Because Eclipse Mojarra is embedded in numerous Oracle enterprise products, the vulnerability has a broad downstream footprint across banking, communications, retail, and middleware platforms.

Critical Impact

Remote attackers can read arbitrary files accessible to the Java application process, including configuration files, credentials, and source code, leading to disclosure of sensitive data and follow-on compromise.

Affected Products

  • Eclipse Mojarra prior to 2.3.14
  • Oracle Banking Platform (2.6.2, 2.7.1, 2.9.0, 2.12.0) and Oracle Banking Enterprise Default Management (2.10.0, 2.12.0)
  • Oracle Communications Network Integrity 7.3.6, Communications Pricing Design Center 12.0.0.3.0, Hyperion Calculation Manager, Retail Merchandising System 19.0.1, Solaris Cluster 4.0, and Time and Labor

Discovery Timeline

  • 2021-06-02 - CVE-2020-6950 published to NVD
  • 2021-10 - Oracle releases Critical Patch Update October 2021 addressing affected products
  • 2022-01 - Oracle Critical Patch Update January 2022 issued
  • 2022-04 - Oracle Critical Patch Update April 2022 issued
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-6950

Vulnerability Analysis

Eclipse Mojarra serves resources (CSS, JavaScript, images, templates) through the JSF resource handler. The framework reads two request parameters, loc (locale) and con (contract), and incorporates them into a classpath lookup used to locate the requested resource. Before version 2.3.14, the resource resolution logic did not validate these parameters against path traversal sequences such as ../.

By supplying traversal sequences, an attacker can escape the intended resource root and read arbitrary files reachable from the application classloader or filesystem context. Disclosed files commonly include web.xml, faces-config.xml, and property files that hold database credentials or signing keys. With user interaction required (UI:R), exploitation typically follows from a crafted link delivered to an authenticated or anonymous user.

Root Cause

The root cause is missing sanitization of user-controlled path components inside ClasspathResourceHelper and ResourceManager. The helper accepted the loc and con request parameters and appended them to a classpath resource lookup without rejecting names containing .., /, \, or other forbidden sequences. The nameContainsForbiddenSequence check existed in ResourceManager but was private and was not invoked when locale and contract names were resolved.

Attack Vector

The attack is delivered over the network against any JSF-enabled endpoint that serves Mojarra resources, commonly at paths under /javax.faces.resource/. The attacker crafts a URL that injects traversal sequences into the loc or con query parameter and tricks a user into requesting it, returning the contents of the targeted file in the HTTP response.

java
// Patch in ClasspathResourceHelper.java - enforce forbidden sequence check
// on the contract (con) parameter before using it for resource resolution
} else if (root == null) {
    String contractName = ctx.getExternalContext().getRequestParameterMap()
          .get("con");
-   if (null != contractName && 0 < contractName.length()) {
+   if (null != contractName && 0 < contractName.length()
+         && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
        contracts = new ArrayList<>();
        contracts.add(contractName);
    } else {

// Patch in ResourceManager.java - widen visibility so other helpers can reuse it
- private static boolean nameContainsForbiddenSequence(String name) {
+ static boolean nameContainsForbiddenSequence(String name) {
      boolean result = false;
      if (name != null) {
          name = name.toLowerCase();

Source: eclipse-ee4j/mojarra commit cefbb94

Detection Methods for CVE-2020-6950

Indicators of Compromise

  • HTTP requests to /javax.faces.resource/ or *.xhtml endpoints containing loc= or con= parameters with values that include .., %2e%2e, ..%2f, or ..\
  • Web server access logs showing successful (HTTP 200) responses to JSF resource requests returning non-resource content sizes or MIME types
  • Application logs referencing ClasspathResourceHelper or ResourceManager resolving locale or contract names containing traversal characters

Detection Strategies

  • Inspect WAF and reverse proxy logs for query strings matching the pattern (loc|con)=[^&]*(\.\.|%2e%2e) against JSF endpoints
  • Inventory deployed Java applications and identify Mojarra versions below 2.3.14 in WEB-INF/lib/ or Maven coordinates org.glassfish:jakarta.faces
  • Correlate outbound reads of sensitive files (web.xml, application.properties, *.keystore) with preceding Mojarra resource requests

Monitoring Recommendations

  • Enable verbose access logging on JSF entry points and forward logs to a central analytics platform for query-parameter analysis
  • Alert on Java application processes opening files outside of the deployment directory shortly after inbound HTTP requests to faces resources
  • Track Oracle Critical Patch Update advisories for the affected products and validate patch posture monthly

How to Mitigate CVE-2020-6950

Immediate Actions Required

  • Upgrade Eclipse Mojarra to version 2.3.14 or later in all custom Java applications
  • Apply the Oracle Critical Patch Updates from October 2021, January 2022, and April 2022 for affected Oracle products
  • Audit deployed WARs and EARs for vulnerable Mojarra JARs and remove or replace them

Patch Information

The upstream fix is delivered in Eclipse Mojarra 2.3.14 via commit cefbb94, which routes the loc and con parameters through ResourceManager.nameContainsForbiddenSequence before resource lookup. Oracle ships the fix through its Critical Patch Updates referenced in the Oracle Security Alert October 2021, January 2022, and April 2022 bulletins. Background and reproduction details are tracked in Eclipse Bug 550943 and Mojarra Issue #4571.

Workarounds

  • Deploy a WAF or reverse proxy rule that blocks requests to JSF endpoints when loc or con parameters contain .., URL-encoded traversal sequences, or path separators
  • Restrict filesystem permissions on the Java application user to minimize files reachable through traversal
  • Disable serving of unused JSF contracts and locales where possible to reduce parameter attack surface
bash
# Example ModSecurity rule to block traversal in JSF loc/con parameters
SecRule ARGS:loc|ARGS:con "@rx (\.\./|\.\.\\|%2e%2e(%2f|%5c|/|\\))" \
    "id:1020695,phase:2,deny,status:403,log,\
    msg:'CVE-2020-6950 Mojarra path traversal attempt in loc/con parameter'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne