cbcvebase.
CVE-2016-0793
published 2016-04-01

CVE-2016-0793: Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows…

PriorityP261high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
15.57%
96.4th percentile
Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.

Affected

1 ranges
VendorProductVersion rangeFixed in
redhatjboss_wildfly_application_server

Detection & IOCsextracted from sources · hover to see the quote

path/WEB-INF
path/META-INF
  • Detect HTTP requests targeting WEB-INF or META-INF paths using lowercase or mixed-case variants (e.g., /web-inf/, /meta-inf/) which bypass the servlet filter blacklist on WildFly running on Windows.
  • Alert on HTTP requests where the URL path case-insensitively matches /web-inf/ or /meta-inf/ but does not match the exact uppercase strings /WEB-INF or /META-INF, indicating a filter bypass attempt.
  • Monitor for unauthenticated remote requests to WildFly (pre-10.0.0.Final) on Windows that access sensitive deployment descriptor files (e.g., web.xml, beans.xml) via case-mangled or extra-character-padded paths under WEB-INF or META-INF.
  • ·This vulnerability only affects WildFly instances running on Windows operating systems; Linux/Unix deployments are not affected due to case-sensitive filesystem path handling.
  • ·Affected versions are WildFly prior to 10.0.0.Final, specifically confirmed on 9.0.2.Final and 8.2.1.Final. Red Hat JBoss EAP and layered products are NOT affected.
  • ·The filter bypass logic resides in the undertow servlet handler (io.undertow.servlet.handlers.ServletInitialHandler); detection rules should account for both the startsWith and equalsIgnoreCase/regionMatches code paths being independently bypassable.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.