VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ud7m-cc54-3qbv

Essentials
Severities (25)
References (17)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ud7m-cc54-3qbv
Aliases	CVE-2018-14371 GHSA-43q7-q5vp-3g68
Summary	The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-14371.json
epss	0.01625	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.01625	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.01625	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.01625	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
epss	0.02476	https://api.first.org/data/v1/epss?cve=CVE-2018-14371
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-43q7-q5vp-3g68
cvssv3.1	7.5	https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24
generic_textual	HIGH	https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24
cvssv3.1	7.5	https://github.com/eclipse-ee4j/mojarra/pull/4384
generic_textual	HIGH	https://github.com/eclipse-ee4j/mojarra/pull/4384
cvssv2	5.0	https://nvd.nist.gov/vuln/detail/CVE-2018-14371
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2018-14371
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2018-14371
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2018-14371

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-14371.json
		https://api.first.org/data/v1/epss?cve=CVE-2018-14371
		https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24
		https://github.com/eclipse-ee4j/mojarra/pull/4384
		https://github.com/javaserverfaces/mojarra/issues/4364
1607709		https://bugzilla.redhat.com/show_bug.cgi?id=1607709
cpe:2.3:a:eclipse:mojarra::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:eclipse:mojarra::::::::
CVE-2018-14371		https://nvd.nist.gov/vuln/detail/CVE-2018-14371
GHSA-43q7-q5vp-3g68		https://github.com/advisories/GHSA-43q7-q5vp-3g68
RHSA-2020:2062		https://access.redhat.com/errata/RHSA-2020:2062
RHSA-2020:2063		https://access.redhat.com/errata/RHSA-2020:2063
RHSA-2020:2113		https://access.redhat.com/errata/RHSA-2020:2113
RHSA-2020:2511		https://access.redhat.com/errata/RHSA-2020:2511
RHSA-2020:2512		https://access.redhat.com/errata/RHSA-2020:2512
RHSA-2020:2513		https://access.redhat.com/errata/RHSA-2020:2513
RHSA-2020:2515		https://access.redhat.com/errata/RHSA-2020:2515
RHSA-2020:3585		https://access.redhat.com/errata/RHSA-2020:3585

No exploits are available.

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-14371.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/eclipse-ee4j/mojarra/commit/1b434748d9239f42eae8aa7d37d7a0930c061e24

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/eclipse-ee4j/mojarra/pull/4384

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-14371

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-14371

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-14371

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.81897
EPSS Score	0.01625
Published At	April 21, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:38:21.924917+00:00	ProjectKB MSRImporter	Import	https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv	38.0.0