CVE-2018-1048

Severity CVSS v4.0:
Pending analysis
Type:
CWE-22 Path Traversal
Publication date:
24/01/2018
Last modified:
17/06/2026

Description

It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*