CVE-2020-6950: 
Java vulnerability analysis and mitigation

A directory traversal vulnerability was identified in Eclipse Mojarra before version 2.3.14. The vulnerability allows attackers to read arbitrary files through the 'loc' parameter or 'con' parameter (Eclipse Bug, CVE Mitre).

The vulnerability exists in the resource handling mechanism of Eclipse Mojarra where insufficient validation of the 'loc' and 'con' parameters could allow path traversal attacks. The issue was discovered in 2019 and affects multiple versions of the software. The vulnerable locale code was added in 2017 (Mojarra 2.3) while the contract-related vulnerability has existed since 2013 (Mojarra 2.2) (Eclipse Bug).

The vulnerability could lead to the disclosure of restricted application files, such as WEB-INF/web.xml, through specially crafted HTTP requests. Research indicates this vulnerability has a potentially large impact on affected systems (Eclipse Bug).

A fix was implemented in Mojarra version 2.3.14 through a commit that adds additional validation to prevent path traversal attempts. The fix includes checks using ResourceManager.nameContainsForbiddenSequence() to validate the contract name and locale prefix (Mojarra Commit).