vulnerability
Red Hat JBoss EAP: CVE-2018-1048: Path Traversal
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Jan 15, 2018 | Sep 19, 2024 | Jul 2, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Jan 15, 2018
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.. It was found that the AJP connector in undertow does not use the ALLOW_ENCODED_SLASH option and thus allows the slash and anti-slash characters encoded in a URL. This may lead to path traversal and result in the information disclosure of arbitrary local files.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-22
- CWE-116
- CVE-2018-1048
- https://attackerkb.com/topics/CVE-2018-1048
- URL-https://access.redhat.com/security/cve/CVE-2018-1048
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=1534343
- URL-https://access.redhat.com/errata/RHSA-2018:0478
- URL-https://access.redhat.com/errata/RHSA-2018:0479
- URL-https://access.redhat.com/errata/RHSA-2018:0480
- URL-https://access.redhat.com/errata/RHSA-2018:0481
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.