CVE-2021-3688
26.08.2022, 16:15
A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolon(s). This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
| Vendor | Product | Version |
|---|---|---|
| redhat | jboss_core_services_httpd | 𝑥 < 2.4.37 |
| redhat | jboss_core_services_httpd | 2.4.37 |
| redhat | jboss_core_services_httpd | 2.4.37:sp1 |
| redhat | jboss_core_services_httpd | 2.4.37:sp2 |
| redhat | jboss_core_services_httpd | 2.4.37:sp3 |
| redhat | jboss_core_services_httpd | 2.4.37:sp4 |
| redhat | jboss_core_services_httpd | 2.4.37:sp5 |
| redhat | jboss_core_services_httpd | 2.4.37:sp6 |
| redhat | jboss_core_services_httpd | 2.4.37:sp7 |
| redhat | jboss_core_services_httpd | 2.4.37:sp8 |
| redhat | jboss_core_services_httpd | 2.4.37:sp9 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.