Matthew Cook

**Name of the Vulnerable Software and Affected Versions** JBOSS versions 3.2.2 through 3.2.7 JBOSS version 4.0.2 **Description** The issue allows remote attackers to obtain sensitive information via a GET request. This can be achieved in two ways: (1) by using a "%." (percent dot) in the request, which reveals the installation path, or (2) by using a "%" (percent) before a filename, which reveals the contents of the file. **Recommendations** For JBOSS versions 3.2.2 through 3.2.7, consider restricting access to sensitive files and directories to minimize the risk of information disclosure. For JBOSS version 4.0.2, avoid using the "%" character in filenames and directory paths until a fix is available. As a temporary workaround, consider disabling the handling of "%" characters in GET requests until a patch is available.