CVE-2018-1048

Debian Bug report logs - #891928 CVE-2018-1048: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser Package: src:undertow; Maintainer for src:undertow is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Markus Koschany <apo@debianorg> Date: Fri, 2 Mar 2018 17 ...

Synopsis Important: jboss-ec2-eap package for EAP 711 Type/Severity Security Advisory: Important Topic An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 711 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 711 for Red Ha ...

Synopsis Important: JBoss Enterprise Application Platform 711 on RHEL 6 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impac ...

Synopsis Important: JBoss Enterprise Application Platform 711 for RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impa ...

Synopsis Important: Red Hat JBoss Enterprise Application Platform 711 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application PlatformRed Hat Product Security has rated this update as having a security impact of Important A Com ...

It was found that the AJP connector in undertow, as shipped in Jboss EAP 710GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files ...