Bug#891929: CVE-2018-1047: information disclosure of arbitrary local files

2018-03-02 Thread Markus Koschany
Control: severity -1 important I am no longer sure undertow is affected. The issue is marked resolved upstream and one of the fixing commits https://github.com/wildfly/wildfly/pull/10748/files indicates the bug was in WildFly's undertow extension but not in Undertow itself. I keep this bug

Bug#891929: CVE-2018-1047: information disclosure of arbitrary local files

2018-03-02 Thread Markus Koschany
Source: undertow Version: 1.4.8-1+deb9u1 Severity: grave Tags: security Forwarded: https://issues.jboss.org/browse/WFLY-9620 A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead