Undertow (on Windows) Information disclosure via directory traversal

2014.11.27
Credit: Arun Babu Neelicattu
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-7816
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

CVE-2014-7816 was assigned to a vulnerability in JBoss Undertow [1]. This flaw was reported by Roberto Soares of Conviso Application Security. Issue Description: It was discovered that Undertow, when running on Microsoft Windows, is vulnerable to a directory traversal flaw. A remote attacker could use this flaw to read arbitrary files that are accessible to the user running the Java process. Fixed Version(s): undertow 1.0.17.Final, undertow 1.2.0.Beta3, undertow 1.1.0.CR5 Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/7816.yaml References: https://issues.jboss.org/browse/UNDERTOW-338 https://issues.jboss.org/browse/WFLY-4020 https://bugzilla.redhat.com/CVE-2014-7816 https://access.redhat.com/security/cve/CVE-2014-7816 -- Arun Neelicattu / Red Hat Product Security

References:

https://issues.jboss.org/browse/UNDERTOW-338
https://issues.jboss.org/browse/WFLY-4020
https://bugzilla.redhat.com/CVE-2014-7816
https://access.redhat.com/security/cve/CVE-2014-7816
https://github.com/victims/victims-cve-db/blob/master/database/java/2014/7816.yaml


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top