High severity7.5NVD Advisory· Published Jan 24, 2018· Updated Jun 17, 2026
CVE-2018-1048
CVE-2018-1048
Description
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jboss.eap:wildfly-undertowMaven | >= 7.1.0.GA, < 7.1.1.GA | 7.1.1.GA |
Affected products
2- Red Hat, Inc./undertow as shipped in Jboss EAP 7.1.0.GAv5Range: 7.1.0.GA
Patches
Vulnerability mechanics
References
7- access.redhat.com/errata/RHSA-2018:0478nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0479nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0480nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:0481nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-prfw-3qx6-g9xrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1048ghsaADVISORY
News mentions
0No linked articles in our index yet.