Path Traversal: '../filedir'
CVE-2024-1459
Summary
A Path Traversal vulnerability was found in Undertow versions prior to 2.2.31.Final and 2.3.x prior to 2.3.12.Final. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-24 - Path Traversal: '../filedir'
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
References
Advisory Timeline
- Published