PT-2018-9900 · Red Hat · Undertow+1

Bharti Kundal

Publicado

2018-01-24

Atualizado

2023-02-03

CVE-2018-1048

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Jboss EAP version 7.1.0.GA

Description: The AJP connector in undertow does not use the ALLOW ENCODED SLASH option, allowing slash and anti-slash characters to be encoded in the URL. This could lead to path traversal, resulting in the disclosure of arbitrary local files.

Recommendations: For Jboss EAP version 7.1.0.GA, consider disabling the AJP connector until a patch is available to prevent path traversal attacks. Restrict access to sensitive local files to minimize the risk of information disclosure.

Correção

Improper Encoding or Escaping of Output

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-116CWE-22

Identificadores relacionados

CVE-2018-1048

GHSA-PRFW-3QX6-G9XR

RHSA-2018:0479

RHSA-2018:0480

RHSA-2018:0481

Produtos afetados

Jboss Eap

Undertow

PT-2018-9900 · Red Hat · Undertow+1

CVE-2018-1048

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 14