CVE-2016-0793
Wildfly - 'WEB-INF' / 'META-INF' Information Disclosure via Filter Restriction Bypass
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.
Vulnerabilidad de lista negra incompleta en el mecanismo de restricción del filtro de servlet en WildFly (anteriormente JBoss Application Server) en versiones anteriores a 10.0.0.Final en Windows permite a atacantes remotos leer archivos sensibles en el directorio (1) WEB-INF o (2) META-INF a través de una petición que contiene carácteres (a) en minúsculas o (b) "sin sentido".
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2015-12-16 CVE Reserved
- 2016-03-21 CVE Published
- 2018-11-19 First Exploit
- 2024-08-05 CVE Updated
- 2024-10-25 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/136323/Wildfly-Filter-Restriction-Bypass-Information-Disclosure.html | X_refsource_misc |
|
| https://security.netapp.com/advisory/ntap-20180215-0001 | X_refsource_confirm |
|
| https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03784en_us | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/39573 | 2024-08-05 | |
| https://github.com/tafamace/CVE-2016-0793 | 2018-11-19 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1305937 | 2018-05-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | * | - |
Safe
|