VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tbhh-2tte-kkdk

Essentials
Severities (27)
References (19)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tbhh-2tte-kkdk
Aliases	CVE-2020-6950 GHSA-rpq8-mmwh-q9hm
Summary	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-6950.json
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
epss	0.51657	https://api.first.org/data/v1/epss?cve=CVE-2020-6950
cvssv3.1	7.5	https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943
generic_textual	HIGH	https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-rpq8-mmwh-q9hm
cvssv3.1	7.5	https://github.com/eclipse-ee4j/mojarra
generic_textual	HIGH	https://github.com/eclipse-ee4j/mojarra
cvssv3.1	7.5	https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
generic_textual	HIGH	https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
cvssv3.1	7.5	https://github.com/eclipse-ee4j/mojarra/issues/4571
generic_textual	HIGH	https://github.com/eclipse-ee4j/mojarra/issues/4571
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2020-6950
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2020-6950
cvssv3.1	7.5	https://www.oracle.com/security-alerts/cpuapr2022.html
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpuapr2022.html
cvssv3.1	7.5	https://www.oracle.com/security-alerts/cpujan2022.html
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpujan2022.html
cvssv3.1	7.5	https://www.oracle.com/security-alerts/cpuoct2021.html
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpuoct2021.html

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-6950.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-6950
		https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943
		https://github.com/eclipse-ee4j/mojarra
		https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
		https://github.com/eclipse-ee4j/mojarra/issues/4571
		https://www.oracle.com/security-alerts/cpuapr2022.html
		https://www.oracle.com/security-alerts/cpujan2022.html
		https://www.oracle.com/security-alerts/cpuoct2021.html
1805006		https://bugzilla.redhat.com/show_bug.cgi?id=1805006
CVE-2020-6950		https://nvd.nist.gov/vuln/detail/CVE-2020-6950
GHSA-rpq8-mmwh-q9hm		https://github.com/advisories/GHSA-rpq8-mmwh-q9hm
RHSA-2020:2113		https://access.redhat.com/errata/RHSA-2020:2113
RHSA-2020:2511		https://access.redhat.com/errata/RHSA-2020:2511
RHSA-2020:2512		https://access.redhat.com/errata/RHSA-2020:2512
RHSA-2020:2513		https://access.redhat.com/errata/RHSA-2020:2513
RHSA-2020:2515		https://access.redhat.com/errata/RHSA-2020:2515
RHSA-2020:2905		https://access.redhat.com/errata/RHSA-2020:2905
RHSA-2020:3585		https://access.redhat.com/errata/RHSA-2020:3585

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-6950.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bugs.eclipse.org/bugs/show_bug.cgi?id=550943

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/eclipse-ee4j/mojarra

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/eclipse-ee4j/mojarra/issues/4571

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-6950

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.oracle.com/security-alerts/cpuapr2022.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.oracle.com/security-alerts/cpujan2022.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.oracle.com/security-alerts/cpuoct2021.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.97875
EPSS Score	0.51657
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:48:49.223692+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.glassfish/mojarra-parent/CVE-2020-6950.yml	38.0.0