CVE-2018-1048

CVE-2018-1048

Vendor Red Hat, Inc.
Product undertow as shipped in Jboss EAP 7.1.0.GA
Weakness CWE-22 · Path traversal
Published January 24, 2018
Last update August 5, 2024

CVSS base score

What the vulnerability does

01Description

It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.

Key dates

02Disclosure timeline

January 24, 2018 CVE published
August 5, 2024 Record updated