CVE-2016-0793

Опубликовано: 11 фев. 2016

Источник: redhat

CVSS2: 5

EPSS Средний

Описание

Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.

An incomplete-blacklist flaw was found in the blacklisting of URLs in Wildfly. A remote, unauthenticated user could exploit this flaw to expose sensitive files.

Отчет

Only Wildfly application servers running on Windows operating systems are affected; no versions of Red Hat JBoss EAP or layered products are affected.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss Enterprise Web Server 1	wildfly	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-184

https://bugzilla.redhat.com/show_bug.cgi?id=1305937wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass

EPSS

Процентиль: 97%

0.35266

Средний

5 Medium

CVSS2

Связанные уязвимости

CVE-2016-0793

CVSS3: 7.5

nvd

почти 10 лет назад

GHSA-9q87-22gr-r8qf

CVSS3: 7.5

github

больше 3 лет назад

WildFly has incomplete blacklist vulnerability

BDU:2016-00944

fstec