Описание
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
It was found that the AJP connector in undertow does not use the ALLOW_ENCODED_SLASH option and thus allows the slash and anti-slash characters encoded in a URL. This may lead to path traversal and result in the information disclosure of arbitrary local files.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | Karaf | Affected | ||
| Red Hat JBoss Fuse 6 | Karaf | Will not fix | ||
| Red Hat JBoss Fuse Integration Service 2 | undetow | Affected | ||
| Red Hat JBoss EAP 7 | undertow | Fixed | RHSA-2018:0478 | 12.03.2018 |
| Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 | eap7-activemq-artemis | Fixed | RHSA-2018:0479 | 12.03.2018 |
| Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 | eap7-apache-cxf | Fixed | RHSA-2018:0479 | 12.03.2018 |
| Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 | eap7-glassfish-jsf | Fixed | RHSA-2018:0479 | 12.03.2018 |
| Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 | eap7-hibernate | Fixed | RHSA-2018:0479 | 12.03.2018 |
| Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 | eap7-infinispan | Fixed | RHSA-2018:0479 | 12.03.2018 |
| Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 | eap7-ironjacamar | Fixed | RHSA-2018:0479 | 12.03.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
It was found that the AJP connector in undertow, as shipped in Jboss E ...
Improper Limitation of a Pathname to a Restricted Directory in Jboss EAP Undertow
EPSS
8.6 High
CVSS3