Improper Limitation of a Pathname to a Restricted Directory in JBoss Undertow

GHSA-h6p6-fc4w-cqhx · CVE-2014-7816

Published May 17, 2022 · Modified Dec 7, 2024

Description

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-7816
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1157478
WEB https://issues.jboss.org/browse/UNDERTOW-338
WEB https://issues.jboss.org/browse/WFLY-4020
WEB http://seclists.org/oss-sec/2014/q4/830
WEB http://www.securityfocus.com/bid/71328

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes