Bug#891928: CVE-2018-1048: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser
Link to patch: https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5 signature.asc Description: OpenPGP digital signature
Bug#891928: CVE-2018-1048: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser
Source: undertow Version: 1.4.8-1+deb9u1 Severity: grave Tags: security Forwarded: https://issues.jboss.org/browse/UNDERTOW-1245 It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash
