CVE-2018-1047
undertow: Path traversal in ServletResourceManager class
Severity Score
5.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files.
Se ha encontrado un fallo en Wildfly 9.x. Una vulnerabilidad de salto de directorio a través del método org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource podría llevar a la revelación de información de archivos locales arbitrarios.
A path traversal vulnerability was discovered in Undertow's org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method. This could lead to information disclosure of arbitrary local files.
Red Hat OpenShift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications for OpenShift as a containerized platform. This release of RHOAR Thorntail 2.2.0 serves as a replacement for RHOAR WildFly Swarm 7.1.0, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include a traversal vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-12-04 CVE Reserved
- 2018-01-24 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (8)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:1247 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2018:1248 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2018:1249 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2018:1251 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2018:2938 | 2023-11-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1528361 | 2018-10-17 | |
| https://issues.jboss.org/browse/WFLY-9620 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2018-1047 | 2018-10-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.1.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.0" | alpha1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.0" | beta1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.0" | beta2 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.0" | cr1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.0" | cr2 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.1 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 9.0.2 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "9.0.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | alpha1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | alpha2 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | alpha3 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | alpha4 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | alpha5 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | alpha6 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | beta1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | beta2 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | cr1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | cr2 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | cr3 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | cr4 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.0.0" | cr5 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.1.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 10.1.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "10.1.0" | cr1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 11.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "11.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 11.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "11.0.0" | alpha1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 11.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "11.0.0" | beta1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Wildfly Application Server Search vendor "Redhat" for product "Jboss Wildfly Application Server" | 11.0.0 Search vendor "Redhat" for product "Jboss Wildfly Application Server" and version "11.0.0" | cr1 |
Affected
| ||||||