CVE-2018-1048 in JBoss EAP
Summary
by MITRE
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/27/2019
The vulnerability identified as CVE-2018-1048 resides within the AJP connector implementation of Undertow web server as distributed with Red Hat JBoss Enterprise Application Platform 7.1.0.GA. This flaw represents a critical security weakness that stems from improper handling of URL encoding within the application layer gateway protocol connector. The AJP protocol serves as a binary protocol for communication between web servers and application servers, commonly used to connect Apache HTTP Server with JBoss applications. The vulnerability specifically manifests when the connector fails to properly validate encoded slash and backslash characters in URL paths, creating an avenue for malicious exploitation.
The technical root cause of this vulnerability can be traced to the absence of the ALLOW_ENCODED_SLASH configuration option within the Undertow AJP connector implementation. This configuration parameter, when properly enabled, would instruct the web server to reject or properly decode encoded path separators in URLs. Without this safeguard, the system processes encoded forward slashes (%2F) and backslashes (%5C) as literal path components rather than as directory traversal indicators. This misconfiguration allows attackers to craft malicious URLs that bypass normal path validation mechanisms, enabling them to navigate the file system beyond intended boundaries and access arbitrary local files on the server.
The operational impact of this vulnerability extends far beyond simple information disclosure, representing a severe path traversal attack vector that can compromise entire server environments. Attackers can leverage this weakness to access sensitive configuration files, application source code, database credentials, and other confidential data stored on the server filesystem. The vulnerability specifically affects JBoss EAP 7.1.0.GA installations where Undertow is configured to use the AJP connector, making it particularly dangerous in enterprise environments where these components are commonly deployed. The attack requires minimal privileges and can be executed through standard web requests, making it both accessible and potentially devastating to organizations relying on affected systems.
Organizations affected by this vulnerability should immediately implement mitigations including updating to patched versions of JBoss EAP 7.1.0.GA or later releases that properly configure the ALLOW_ENCODED_SLASH option. The vulnerability aligns with CWE-22 Path Traversal and CWE-23 Improper Neutralization of Special Elements used in an OS Command, as it allows attackers to manipulate file system access through encoded URL components. From an adversary perspective, this vulnerability maps to ATT&CK technique T1083 File and Directory Discovery, where attackers can enumerate and access sensitive files on compromised systems. Additional defensive measures include implementing proper input validation at the application level, configuring web application firewalls to detect and block encoded path traversal attempts, and conducting regular security assessments of web server configurations to ensure proper handling of special characters in URL processing.