Path Traversal Vulnerability in JBoss EAP by Red Hat
CVE-2018-1048
7.5HIGH
Key Information:
- Vendor
- Red Hat
- Vendor
- CVE Published:
- 24 January 2018
Summary
A security flaw exists in the AJP connector of Undertow, included in JBoss EAP 7.1.0.GA. This vulnerability arises from the absence of the ALLOW_ENCODED_SLASH option, allowing attackers to exploit encoded slash and backslash characters within URLs. This can facilitate path traversal attacks, potentially leading to unauthorized access to arbitrary local files, raising significant security concerns for affected systems.
Affected Version(s)
undertow as shipped in Jboss EAP 7.1.0.GA 7.1.0.GA
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved