Description
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
Remediation
References
Related Vulnerabilities
WordPress Plugin Booking Calendar Contact Form Multiple Vulnerabilities (1.0.23)
PHP Numeric Errors Vulnerability (CVE-2011-1471)
Oracle JRE CVE-2020-2590 Vulnerability (CVE-2020-2590)
Chamilo Improper Input Validation Vulnerability (CVE-2012-4030)
WordPress Plugin Alert Before Your Post Cross-Site Scripting (0.1.1)