CVE-2018-1047

MEDIUM

Redhat Jboss Wildfly Application Server < 12.0.0 - Path Traversal

Title source: rule

Description

A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files.

Exploits (1)

nomisec WORKING POC

by shoucheng3 · poc

https://github.com/shoucheng3/wildfly__wildfly_CVE-2018-1047_11-0-0-Final

View Code ZIP pw:eip

References (7)

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:1247

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:1248

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:1249

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:1251

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2938

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1528361

[Issue Tracking, Vendor Advisory] https://issues.jboss.org/browse/WFLY-9620

Scores

CVSS v3 5.5

EPSS 0.0018

EPSS Percentile 38.8%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22 CWE-20

Status published

Products (8)

org.wildfly/wildfly-undertow 0 - 12.0.0Maven

redhat/jboss_enterprise_application_platform 7.1.0

redhat/jboss_wildfly_application_server 9.0.0 (6 CPE variants)

redhat/jboss_wildfly_application_server 9.0.1

redhat/jboss_wildfly_application_server 9.0.2

redhat/jboss_wildfly_application_server 10.0.0 (14 CPE variants)

redhat/jboss_wildfly_application_server 10.1.0 (2 CPE variants)

redhat/jboss_wildfly_application_server 11.0.0 (4 CPE variants)

Published Jan 24, 2018

Tracked Since Feb 18, 2026