Description
Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.
Remediation
References
https://www.exploit-db.com/exploits/39573/
https://bugzilla.redhat.com/show_bug.cgi?id=1305937
http://packetstormsecurity.com/files/136323/Wildfly-Filter-Restriction-Bypass-Information-Disclosure.html
https://security.netapp.com/advisory/ntap-20180215-0001/
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03784en_us
Related Vulnerabilities
CVE-2015-0250 Vulnerability in maven package batik:batik-dom
CVE-2011-2204 Vulnerability in maven package tomcat:catalina
CVE-2017-12795 Vulnerability in maven package org.openmrs.module:htmlformentry-omod
CVE-2022-2191 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2022-31684 Vulnerability in maven package io.projectreactor.netty:reactor-netty-http