CVE-2011-4367
Title: Apache Myfaces Path Traversal / LFI
Arbitrary File Access
Proof Of Concept
PoC Available for CVE-2011-4367
CWE Category
CWE-22
Published Date
Jun 19, 2014
Modified Date
May 06, 2026
Exploit Status
Available
Score
5.0
CVSS v2.0
Exploit Probability (EPSS)
85.92%
Vulnerability Summary
CVE-2011-4367: Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/.
Impacted Vendors
Reference Links
http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1F.4070007%40apache.org%3E
http://osvdb.org/show/osvdb/79002
http://seclists.org/fulldisclosure/2012/Feb/150
http://secunia.com/advisories/47973
http://www.securityfocus.com/bid/51939
https://exchange.xforce.ibmcloud.com/vulnerabilities/73100
http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1F.4070007%40apache.org%3E
http://osvdb.org/show/osvdb/79002
http://seclists.org/fulldisclosure/2012/Feb/150
http://secunia.com/advisories/47973
http://www.securityfocus.com/bid/51939
https://exchange.xforce.ibmcloud.com/vulnerabilities/73100
CVSS v2.0
Source Entity
[email protected]
Severity
MEDIUM
5.0
Access Vector
N/A
Authentication
N/A
RAW VECTOR
AV:N/AC:L/Au:N/C:P/I:N/A:N
Associated Attack Patterns (CAPEC)
Total: PatternsNo specific attack patterns mapped.
Likelihood
Severity
Page /
CVE-2011-4367 Exploits & PoCs (Proof Of Concept)
Exploit-DB
https://www.exploit-db.com/exploits/36681
MODIFIED
Vulnerability data updated via NVD.
MODIFIED
Vulnerability data updated via NVD.
MODIFIED
Vulnerability data or affected products updated.
PUBLISHED
Vulnerability first announced in NVD.
Attack Vector Matrix
Access Vector
N/A
Complexity
N/A
Privileges
N/A
Interaction
NONE
CVSS Vector String
AV:N/AC:L/Au:N/C:P/I:N/A:N
Affected Stack
No specific products linked.