JBoss Application Server (WildFly) Blacklist Bypass Vulnerability Fixed by 10.0.0.Final


Description   (:A vulnerability was reported in JBoss Application Server (WildFly).:A remote attacker could exploit it by sending a specific sequence of lowercase caracters then ending it with a "meaningless" character in order to list files into WEB-INF and META-INF directories.::This vulnerability stems from an incomplete blacklist in the servlet filter restriction mechanism.::A proof of concept is available.)
     
Vulnerable Products   Vulnerable Software:
Application Server (WildFly) (JBoss Inc.) -
     
Solution   Version 10.0.0.Final of JBoss Application Server (WildFly) fixes this vulnerability.
     
CVE   CVE-2016-0793
     
References   - Red Hat : wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1305937
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Java : Suspicious access to META-INF and WEB-INF folders
3.5.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2016-02-10 

 Target Type 
Server 

 Possible exploit 
Remote