CVE-2016-0793

HIGH

WildFly <10.0.0.Final - Info Disclosure

Title source: llm

Description

Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Tal Solomon of Palantir Security · textwebappswindows

https://www.exploit-db.com/exploits/39573

View Code ZIP pw:eip

nomisec STUB

by tafamace · poc

https://github.com/tafamace/CVE-2016-0793

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/136323/Wildfly-Filter-Restriction-Bypass-Information-Disclosure.html

[Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1305937

[Vendor Advisory] https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03784en_us

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20180215-0001/

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/39573/

Scores

CVSS v3 7.5

EPSS 0.3527

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (3)

org.wildfly/wildfly-parent 0 - 10.0.0.FinalMaven

org.wildfly/wildfly-undertow 0 - 10.0.0.FinalMaven

redhat/jboss_wildfly_application_server 10.0.0

Published Apr 01, 2016

Tracked Since Feb 18, 2026