Moderate severityNVD Advisory· Published Dec 1, 2014· Updated May 6, 2026

CVE-2014-7816

Description

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.undertow:undertow-coreMaven	>= 1.0.0, < 1.0.17	1.0.17
io.undertow:undertow-coreMaven	>= 1.1.0.Beta1, < 1.1.0.CR5	1.1.0.CR5
io.undertow:undertow-coreMaven	>= 1.2.0.Beta1, < 1.2.0.Beta3	1.2.0.Beta3

Affected products

Red Hat/Undertow3 versions
cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*range: <=1.0.16
- cpe:2.3:a:redhat:undertow:*:beta2:*:*:*:*:*:*range: <=1.2.0
- cpe:2.3:a:redhat:undertow:*:cr4:*:*:*:*:*:*range: <=1.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugzilla.redhat.com/show_bug.cginvdVendor AdvisoryWEB
github.com/advisories/GHSA-h6p6-fc4w-cqhxghsaADVISORY
issues.jboss.org/browse/UNDERTOW-338nvdVendor AdvisoryWEB
issues.jboss.org/browse/WFLY-4020nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2014-7816ghsaADVISORY
seclists.org/oss-sec/2014/q4/830nvdWEB
www.securityfocus.com/bid/71328nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.044
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000