Lucene search

K
osvGoogleOSV:GHSA-GV2W-88HX-8M9R
HistoryMay 24, 2022 - 5:16 p.m.

Improper Authorization in Undertoe

2022-05-2417:16:46
Google
osv.dev
18
file inclusion vulnerability
ajp connector
default port
undertow 2.0.29
remote attacker
unauthenticated
web application files
vulnerable server
file uploads
remote code execution

EPSS

0.974

Percentile

99.9%

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.