CVE-2020-6950: Eclipse Mojarra Path Traversal Flaw

CVE-2020-6950 Overview

CVE-2020-6950 is a directory traversal vulnerability in Eclipse Mojarra, the reference implementation of JavaServer Faces (JSF). This vulnerability allows remote attackers to read arbitrary files from the server by manipulating the loc parameter or con parameter in HTTP requests. Eclipse Mojarra versions prior to 2.3.14 are affected, along with numerous Oracle products that bundle or depend on the vulnerable Mojarra library.

Critical Impact
Attackers can exploit this path traversal flaw to access sensitive configuration files, application source code, credentials, and other confidential data stored on vulnerable servers, potentially leading to full system compromise.

Affected Products

Eclipse Mojarra (versions prior to 2.3.14)
Oracle Banking Enterprise Default Management (2.10.0, 2.12.0)
Oracle Banking Platform (2.6.2, 2.7.1, 2.9.0, 2.12.0)
Oracle Communications Network Integrity (7.3.6)
Oracle Communications Pricing Design Center (12.0.0.3.0)
Oracle Hyperion Calculation Manager
Oracle Retail Merchandising System (19.0.1)
Oracle Solaris Cluster (4.0)
Oracle Time and Labor

Discovery Timeline

2021-06-02 - CVE-2020-6950 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-6950

Vulnerability Analysis

This directory traversal vulnerability (CWE-22) exists in Eclipse Mojarra's resource handling mechanism. The JSF framework's resource loading functionality accepts user-controllable parameters (loc and con) that specify resource locations and contract names. Prior to the security fix, these parameters were not adequately validated for path traversal sequences, allowing attackers to escape the intended resource directory and access files elsewhere on the filesystem.

The vulnerability is particularly concerning because it requires no authentication to exploit—an attacker simply needs to craft malicious HTTP requests targeting the vulnerable resource endpoints. The attack can be executed remotely over the network and only requires user interaction in specific scenarios. While the vulnerability allows reading arbitrary files (high confidentiality impact), it does not permit modification or deletion of files.

Root Cause

The root cause lies in insufficient input validation within the ClasspathResourceHelper.java and ResourceManager.java classes. Specifically, the contractName parameter extracted from HTTP requests was directly used for resource path construction without checking for forbidden path sequences such as ../ or encoded variants. The existing nameContainsForbiddenSequence() method was available but was not being called to validate the con parameter before processing.

Attack Vector

The attack is network-based and targets the JSF resource handler endpoints. An attacker can craft HTTP requests with malicious loc or con parameter values containing directory traversal sequences (e.g., ../../../etc/passwd). When processed by the vulnerable Mojarra code, these sequences allow the attacker to traverse outside the intended resource directory and read arbitrary files accessible to the application server process.

java

// Security patch in ClasspathResourceHelper.java
// Before: No validation of contractName parameter
// After: Added nameContainsForbiddenSequence() check

         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {

Source: GitHub Mojarra Commit

java

// Security patch in ResourceManager.java
// Changed visibility of validation method to enable reuse

-    private static boolean nameContainsForbiddenSequence(String name) {
+    static boolean nameContainsForbiddenSequence(String name) {
         boolean result = false;
         if (name != null) {
             name = name.toLowerCase();

Source: GitHub Mojarra Commit

Detection Methods for CVE-2020-6950

Indicators of Compromise

HTTP requests to JSF resource endpoints containing ../ sequences in the loc or con parameters
Unusual access patterns to /javax.faces.resource/ URL paths with encoded traversal characters
Web server logs showing requests with URL-encoded sequences like %2e%2e%2f or ..%252f in resource parameters
Attempts to access sensitive files such as /etc/passwd, web.xml, or application property files via JSF endpoints

Detection Strategies

Implement web application firewall (WAF) rules to detect and block directory traversal patterns in HTTP parameters
Configure intrusion detection systems (IDS) to alert on requests containing path traversal sequences targeting JSF resources
Deploy SentinelOne Singularity to detect suspicious file access patterns and exploitation attempts at the endpoint level
Review application dependencies and verify Mojarra version using build tools (Maven/Gradle dependency analysis)

Monitoring Recommendations

Monitor web server access logs for anomalous requests to JSF resource handler URLs with special attention to loc and con parameters
Set up alerts for file access attempts outside the application's designated resource directories
Track and correlate failed file access attempts that may indicate reconnaissance or exploitation activity
Leverage SentinelOne's behavioral AI to detect post-exploitation activities if initial file disclosure leads to credential theft

How to Mitigate CVE-2020-6950

Immediate Actions Required

Upgrade Eclipse Mojarra to version 2.3.14 or later immediately
For Oracle products, apply the relevant Critical Patch Updates (CPU) from October 2021, January 2022, or April 2022
Implement WAF rules to filter requests containing directory traversal patterns in JSF resource parameters
Audit application logs for evidence of past exploitation attempts

Patch Information

The vulnerability was addressed in Eclipse Mojarra version 2.3.14. The fix adds proper validation of the con parameter by calling the nameContainsForbiddenSequence() method before processing resource requests. The security commit (cefbb9447e7be560e59da2da6bd7cb93776f7741) is available in the official Mojarra repository.

For Oracle products, patches are available through:

Additional details can be found in the Eclipse Bug Report #550943 and GitHub Mojarra Issue #4571.

Workarounds

Deploy a WAF or reverse proxy with rules to block requests containing ../, ..%2f, %2e%2e/, and similar traversal patterns in query parameters
Restrict network access to JSF resource endpoints using firewall rules where feasible
Implement additional input validation at the application level to reject requests with suspicious parameter values
Consider disabling unused JSF resource serving functionality if not required by the application

bash

# Example WAF rule for ModSecurity to block path traversal attempts
SecRule ARGS "@contains ../" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'Path Traversal Attack Detected in Parameter',\
    tag:'CVE-2020-6950'"

CVE-2020-6950 Overview

Critical Impact
Attackers can exploit this path traversal flaw to access sensitive configuration files, application source code, credentials, and other confidential data stored on vulnerable servers, potentially leading to full system compromise.

Affected Products

Eclipse Mojarra (versions prior to 2.3.14)
Oracle Banking Enterprise Default Management (2.10.0, 2.12.0)
Oracle Banking Platform (2.6.2, 2.7.1, 2.9.0, 2.12.0)
Oracle Communications Network Integrity (7.3.6)
Oracle Communications Pricing Design Center (12.0.0.3.0)
Oracle Hyperion Calculation Manager
Oracle Retail Merchandising System (19.0.1)
Oracle Solaris Cluster (4.0)
Oracle Time and Labor

Discovery Timeline

2021-06-02 - CVE-2020-6950 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-6950

Vulnerability Analysis

Root Cause

Attack Vector

java

// Security patch in ClasspathResourceHelper.java
// Before: No validation of contractName parameter
// After: Added nameContainsForbiddenSequence() check

         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {

Source: GitHub Mojarra Commit

java

// Security patch in ResourceManager.java
// Changed visibility of validation method to enable reuse

-    private static boolean nameContainsForbiddenSequence(String name) {
+    static boolean nameContainsForbiddenSequence(String name) {
         boolean result = false;
         if (name != null) {
             name = name.toLowerCase();

Source: GitHub Mojarra Commit

Detection Methods for CVE-2020-6950

Indicators of Compromise

HTTP requests to JSF resource endpoints containing ../ sequences in the loc or con parameters
Unusual access patterns to /javax.faces.resource/ URL paths with encoded traversal characters
Web server logs showing requests with URL-encoded sequences like %2e%2e%2f or ..%252f in resource parameters
Attempts to access sensitive files such as /etc/passwd, web.xml, or application property files via JSF endpoints

Detection Strategies

Implement web application firewall (WAF) rules to detect and block directory traversal patterns in HTTP parameters
Configure intrusion detection systems (IDS) to alert on requests containing path traversal sequences targeting JSF resources
Deploy SentinelOne Singularity to detect suspicious file access patterns and exploitation attempts at the endpoint level
Review application dependencies and verify Mojarra version using build tools (Maven/Gradle dependency analysis)

Monitoring Recommendations

Monitor web server access logs for anomalous requests to JSF resource handler URLs with special attention to loc and con parameters
Set up alerts for file access attempts outside the application's designated resource directories
Track and correlate failed file access attempts that may indicate reconnaissance or exploitation activity
Leverage SentinelOne's behavioral AI to detect post-exploitation activities if initial file disclosure leads to credential theft

How to Mitigate CVE-2020-6950

Immediate Actions Required

Upgrade Eclipse Mojarra to version 2.3.14 or later immediately
For Oracle products, apply the relevant Critical Patch Updates (CPU) from October 2021, January 2022, or April 2022
Implement WAF rules to filter requests containing directory traversal patterns in JSF resource parameters
Audit application logs for evidence of past exploitation attempts

Patch Information

For Oracle products, patches are available through:

Additional details can be found in the Eclipse Bug Report #550943 and GitHub Mojarra Issue #4571.

Workarounds

Deploy a WAF or reverse proxy with rules to block requests containing ../, ..%2f, %2e%2e/, and similar traversal patterns in query parameters
Restrict network access to JSF resource endpoints using firewall rules where feasible
Implement additional input validation at the application level to reject requests with suspicious parameter values
Consider disabling unused JSF resource serving functionality if not required by the application

bash

# Example WAF rule for ModSecurity to block path traversal attempts
SecRule ARGS "@contains ../" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    log,\
    msg:'Path Traversal Attack Detected in Parameter',\
    tag:'CVE-2020-6950'"

CVE-2020-6950: Eclipse Mojarra Path Traversal Flaw

CVE-2020-6950 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-6950

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-6950

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-6950

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2020-6950: Eclipse Mojarra Path Traversal Flaw

CVE-2020-6950 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-6950

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-6950

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-6950

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform