CVE-2024-1459 - Vulnerability Details

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.07724.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Enterprise Brms Platform Jboss Fuse Quarkus Red Hat Single Sign On Undertow

Configuration 1 [-]

cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 7
	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2024:1677	2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-activemq-artemis-0:2.16.0-18.redhat_00052.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-apache-cxf-0:3.4.10-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-eclipse-jgit-0:5.13.3.202401111512-1.r_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-elytron-web-0:1.9.4-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-hal-console-0:3.3.21-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-hibernate-0:5.3.36-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-infinispan-0:11.0.18-2.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-insights-java-client-0:1.1.2-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-jberet-0:1.3.9-3.SP3_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-jboss-annotations-api_1.3_spec-0:2.0.1-3.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-jboss-cert-helper-0:1.1.2-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-jboss-remoting-0:5.0.27-4.SP2_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-35.Final_redhat_00034.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-jboss-xnio-base-0:3.8.12-1.SP2_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-jgroups-kubernetes-0:1.0.17-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-lucene-solr-0:5.5.5-6.redhat_2.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-wildfly-0:7.4.16-4.GA_redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
eap7-wildfly-elytron-0:1.15.22-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2024:1675	2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-activemq-artemis-0:2.16.0-18.redhat_00052.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-apache-cxf-0:3.4.10-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-eclipse-jgit-0:5.13.3.202401111512-1.r_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-elytron-web-0:1.9.4-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-hal-console-0:3.3.21-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-hibernate-0:5.3.36-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-infinispan-0:11.0.18-2.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-insights-java-client-0:1.1.2-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-jberet-0:1.3.9-3.SP3_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-jboss-annotations-api_1.3_spec-0:2.0.1-3.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-jboss-cert-helper-0:1.1.2-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-jboss-remoting-0:5.0.27-4.SP2_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-35.Final_redhat_00034.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-jboss-xnio-base-0:3.8.12-1.SP2_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-jgroups-kubernetes-0:1.0.17-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-lucene-solr-0:5.5.5-6.redhat_2.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-wildfly-0:7.4.16-4.GA_redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
eap7-wildfly-elytron-0:1.15.22-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2024:1676	2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-activemq-artemis-0:2.16.0-18.redhat_00052.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-apache-cxf-0:3.4.10-2.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-eclipse-jgit-0:5.13.3.202401111512-1.r_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-elytron-web-0:1.9.4-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-hal-console-0:3.3.21-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-hibernate-0:5.3.36-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-infinispan-0:11.0.18-2.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-insights-java-client-0:1.1.2-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-jberet-0:1.3.9-3.SP3_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-jboss-annotations-api_1.3_spec-0:2.0.1-3.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-jboss-cert-helper-0:1.1.2-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-jboss-remoting-0:5.0.27-4.SP2_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-jboss-server-migration-0:1.10.0-35.Final_redhat_00034.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-jboss-xnio-base-0:3.8.12-1.SP2_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-jgroups-kubernetes-0:1.0.17-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-lucene-solr-0:5.5.5-6.redhat_2.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-wildfly-0:7.4.16-4.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
eap7-wildfly-elytron-0:1.15.22-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2024:1674	2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2024:2763	2024-05-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-undertow-0:2.3.11-1.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2024:2764	2024-05-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-undertow-0:2.3.11-1.SP1_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2024:2764	2024-05-08T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-0728	A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.
Github GHSA	GHSA-v76w-3ph8-vm66	Undertow Path Traversal vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:1674
https://access.redhat.com/errata/RHSA-2024:1675
https://access.redhat.com/errata/RHSA-2024:1676
https://access.redhat.com/errata/RHSA-2024:1677
https://access.redhat.com/errata/RHSA-2024:2763
https://access.redhat.com/errata/RHSA-2024:2764
https://access.redhat.com/security/cve/CVE-2024-1459
https://bugzilla.redhat.com/show_bug.cgi?id=2259475
https://nvd.nist.gov/vuln/detail/CVE-2024-1459
https://security.netapp.com/advisory/ntap-20241122-0008/
https://www.cve.org/CVERecord?id=CVE-2024-1459

History

Fri, 22 Nov 2024 13:00:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20241122-0008/

Tue, 22 Oct 2024 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 Aug 2024 07:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:jboss_enterprise_application_platform:7~~
References		https://access.redhat.com/errata/RHSA-2024:1674 https://access.redhat.com/errata/RHSA-2024:1675 https://access.redhat.com/errata/RHSA-2024:1676

Tue, 20 Aug 2024 23:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-02-12T20:30:03.768Z

Updated: 2025-10-10T00:10:33.402Z

Reserved: 2024-02-12T20:12:13.991Z

Link: CVE-2024-1459

Vulnrichment

Updated: 2024-11-22T12:04:46.762Z

NVD

Status : Modified

Published: 2024-02-12T21:15:08.533

Modified: 2024-11-22T12:15:18.250

Link: CVE-2024-1459

Redhat

Severity : Moderate

Publid Date: 2024-01-18T00:00:00Z

Links: CVE-2024-1459 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object