Back to search
CVE-2018-1048
Published: Jan 24, 2018
Modified: Aug 5, 2024
PUBLISHED
Description
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
| Vendor | Product | Versions |
|---|---|---|
Red Hat, Inc. | undertow as shipped in Jboss EAP 7.1.0.GA | affected 7.1.0.GA |
Weaknesses (CWE)
References
RHSA-2018:0479
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0481
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0480
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0478
vendor-advisory
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1534343
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now