CVE-2018-1047 – undertow: Path traversal in ServletResourceManager class
https://notcve.org/view.php?id=CVE-2018-1047
A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files. Se ha encontrado un fallo en Wildfly 9.x. Una vulnerabilidad de salto de directorio a través del método org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource podría llevar a la revelación de información de archivos locales arbitrarios. A path traversal vulnerability was discovered in Undertow's org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method. • https://access.redhat.com/errata/RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:2938 https://bugzilla.redhat.com/show_bug.cgi?id=1528361 https://issues.jboss.org/browse/WFLY-9620 https://access.redhat.com/security/cve/CVE-2018-1047 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-9589 – wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage
https://notcve.org/view.php?id=CVE-2016-9589
Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection. Undertow en Red Hat wildfly, en versiones anteriores a la 11.0.0.Beta1, es vulnerable a un agotamiento de recursos, lo cual resulta en una denegación de servicio (DoS). Undertow mantiene una caché de las cabeceras HTTP vistas en conexiones persistentes. • http://rhn.redhat.com/errata/RHSA-2017-0830.html http://rhn.redhat.com/errata/RHSA-2017-0831.html http://rhn.redhat.com/errata/RHSA-2017-0832.html http://rhn.redhat.com/errata/RHSA-2017-0834.html http://rhn.redhat.com/errata/RHSA-2017-0876.html http://www.securityfocus.com/bid/97060 https://access.redhat.com/errata/RHSA-2017:0872 https://access.redhat.com/errata/RHSA-2017:0873 https://access.redhat.com/errata/RHSA-2017:3454 https://access.redhat.com/errata/ • CWE-400: Uncontrolled Resource Consumption •