Impact
Winstone Servlet Engine versions up to 0.9.10 contain a path‑traversal flaw that allows an unauthenticated attacker to read arbitrary files by sending HTTP GET requests that include dot‑dot‑slash sequences. These traversal prefixes are not sanitized when serving static files from the configured web root, enabling the attacker to walk outside the intended directory and read any file that the servlet process can access. The impact is direct confidentiality compromise, potentially exposing sensitive system configuration or credential files if the service runs with elevated privileges. The weakness is a classic directory traversal problem identified as CWE‑22.
Affected Systems
This vulnerability affects the Winstone Servlet Container developed by rickknowles, specifically all releases up to and including version 0.9.10. No other product or version information is available from the CNA.
Risk and Exploitability
The CVSS base score of 8.7 classifies the vulnerability as high severity. While the EPSS score is not available, the lack of authentication requirement and the ability to read files over HTTP suggests that exploitation can be performed remotely by anyone who can reach the service. The vulnerability is not currently listed in the CISA KEV catalog, but the potential to access system files means that it should be treated as a critical risk for services running with elevated privileges.
OpenCVE Enrichment