CVE-2014-7816 — Improper Limitation of a Pathname to a Restricted Directory in JBoss Undertow

Description

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

How to fix CVE-2014-7816

To remediate CVE-2014-7816, upgrade the affected package to a fixed version below.

Maven/io.undertow:undertow-core—upgrade to 1.0.17 or later

Is CVE-2014-7816 being exploited?

Likely — EPSS is 55.2%, placing CVE-2014-7816 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 1.0.0, < 1.0.17

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-7816
WEBbugzilla.redhat.com/show_bug.cgi?id=1157478
WEBseclists.org/oss-sec/2014/q4/830
WEBissues.jboss.org/browse/UNDERTOW-338
WEBissues.jboss.org