GHSA-h6p6-fc4w-cqhx

Source

https://github.com/advisories/GHSA-h6p6-fc4w-cqhx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h6p6-fc4w-cqhx/GHSA-h6p6-fc4w-cqhx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h6p6-fc4w-cqhx

Aliases

CVE-2014-7816

Published

2022-05-17T04:15:16Z

Modified

2024-12-07T05:40:06.129651Z

Summary

Improper Limitation of a Pathname to a Restricted Directory in JBoss Undertow

Details

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

Database specific

{
    "nvd_published_at": "2014-12-01T15:59:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T21:05:00Z"
}

References

Affected packages

Maven / io.undertow:undertow-core

Package

Name: io.undertow:undertow-core; View open source insights on deps.dev
Purl: pkg:maven/io.undertow/undertow-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.17

Affected versions

1.*

1.0.0.Final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.0.4.Final

1.0.5.Final

1.0.6.Final

1.0.7.Final

1.0.8.Final

1.0.9.Final

1.0.10.Final

1.0.11.Final

1.0.12.Final

1.0.13.Final

1.0.14.Final

1.0.15.Final

1.0.16.Final

Maven / io.undertow:undertow-core

Package

Name: io.undertow:undertow-core; View open source insights on deps.dev
Purl: pkg:maven/io.undertow/undertow-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0.Beta1

Fixed

1.1.0.CR5

Affected versions

1.*

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Beta3

1.1.0.Beta4

1.1.0.Beta5

1.1.0.Beta6

1.1.0.Beta7

1.1.0.Beta8

1.1.0.CR1

1.1.0.CR2

1.1.0.CR3

1.1.0.CR4

Database specific

{
    "last_known_affected_version_range": "<= 1.1.0.CR4"
}

Maven / io.undertow:undertow-core

Package

Name: io.undertow:undertow-core; View open source insights on deps.dev
Purl: pkg:maven/io.undertow/undertow-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2.0.Beta1

Fixed

1.2.0.Beta3

Affected versions

1.*

1.2.0.Beta1

1.2.0.Beta2

Database specific

{
    "last_known_affected_version_range": "<= 1.2.0.Beta2"
}