CVE-2014-7816

WildFly Directory Traversal

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2014-7816. PoCs published by dawetmaster, andikahilmy, shoucheng3, including Metasploit module auxiliary/scanner/http/wildfly_traversal.

AI-analyzed exploit summary The repository contains source code for Undertow, a Java web server, but lacks any exploit code or technical analysis related to CVE-2014-7816. The README provides no details about the vulnerability or how to exploit it.

Description

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

Exploits (4)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2014-7816-undertow-vulnerable

The repository contains source code for Undertow, a Java web server, but lacks any exploit code or technical analysis related to CVE-2014-7816. The README provides no details about the vulnerability or how to exploit it.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Undertow (version not specified)
No auth needed
Prerequisites: none
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2014-7816-undertow-vulnerable

The repository contains a snapshot of the Undertow web server codebase but lacks any exploit code or technical analysis related to CVE-2014-7816. It appears to be a placeholder or incomplete repository.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Undertow web server
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by shoucheng3 · poc
https://github.com/shoucheng3/undertow-io__undertow_CVE-2014-7816_1-0-16-Final

The repository contains source code for Undertow, a Java web server, but lacks exploit-specific code or a proof-of-concept for CVE-2014-7816. The README and provided files are part of the Undertow project and do not demonstrate the vulnerability.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Undertow (version 1.0.16.Final)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wildfly_traversal.rb

This Metasploit module exploits a directory traversal vulnerability in WildFly 8.1.0.Final on Windows systems, allowing unauthorized file reads via crafted HTTP requests. It sends a GET request with traversal sequences to access sensitive files like configuration files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WildFly 8.1.0.Final (JBoss Undertow)
No auth needed
Prerequisites: WildFly 8.1.0.Final running on Windows · Access to port 8080
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1157478
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/71328
Vendor Advisory x_refsource_confirm
https://issues.jboss.org/browse/UNDERTOW-338
Vendor Advisory x_refsource_confirm
https://issues.jboss.org/browse/WFLY-4020
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/830

Scores

EPSS 0.5515
EPSS Percentile 98.1%

Details

CWE
CWE-22
Status published
Products (4)
io.undertow/undertow-core 1.0.0 - 1.0.17Maven
redhat/undertow < 1.0.16
redhat/undertow < 1.1.0
redhat/undertow < 1.2.0
Published Dec 01, 2014
Tracked Since Feb 18, 2026