GHSA-h6p6-fc4w-cqhx

Suggest an improvement
Source
https://github.com/advisories/GHSA-h6p6-fc4w-cqhx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h6p6-fc4w-cqhx/GHSA-h6p6-fc4w-cqhx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h6p6-fc4w-cqhx
Aliases
  • CVE-2014-7816
Published
2022-05-17T04:15:16Z
Modified
2023-11-01T04:45:46.070142Z
Summary
Improper Limitation of a Pathname to a Restricted Directory in JBoss Undertow
Details

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

Database specific
{
    "nvd_published_at": "2014-12-01T15:59:00Z",
    "github_reviewed_at": "2022-07-06T21:05:00Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Maven / io.undertow:undertow-core

Package

Name
io.undertow:undertow-core
View open source insights on deps.dev
Purl
pkg:maven/io.undertow/undertow-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.0.17

Affected versions

1.*

1.0.0.Final
1.0.1.Final
1.0.2.Final
1.0.3.Final
1.0.4.Final
1.0.5.Final
1.0.6.Final
1.0.7.Final
1.0.8.Final
1.0.9.Final
1.0.10.Final
1.0.11.Final
1.0.12.Final
1.0.13.Final
1.0.14.Final
1.0.15.Final
1.0.16.Final

Maven / io.undertow:undertow-core

Package

Name
io.undertow:undertow-core
View open source insights on deps.dev
Purl
pkg:maven/io.undertow/undertow-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.1.0.Beta1
Fixed
1.1.0.CR5

Affected versions

1.*

1.1.0.Beta1
1.1.0.Beta2
1.1.0.Beta3
1.1.0.Beta4
1.1.0.Beta5
1.1.0.Beta6
1.1.0.Beta7
1.1.0.Beta8
1.1.0.CR1
1.1.0.CR2
1.1.0.CR3
1.1.0.CR4

Database specific

{
    "last_known_affected_version_range": "<= 1.1.0.CR4"
}

Maven / io.undertow:undertow-core

Package

Name
io.undertow:undertow-core
View open source insights on deps.dev
Purl
pkg:maven/io.undertow/undertow-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0.Beta1
Fixed
1.2.0.Beta3

Affected versions

1.*

1.2.0.Beta1
1.2.0.Beta2

Database specific

{
    "last_known_affected_version_range": "<= 1.2.0.Beta2"
}