Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-0793

CWE-200Information ExposureCWE-1847 documents7 sources
Severity
7.5HIGH
EPSS
35.3%
top 2.96%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Redhat Jboss Wildfly Application Server
Timeline
PublishedApr 1
Latest updateMay 14

Description

Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Mavenorg.wildfly:wildfly-parent< 10.0.0.Final
Mavenorg.wildfly:wildfly-undertow< 10.0.0.Final

🔴Vulnerability Details

3
GHSA
WildFly has incomplete blacklist vulnerability2022-05-14
OSV
WildFly has incomplete blacklist vulnerability2022-05-14
CVEList
CVE-2016-0793: Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 102016-04-01

💥Exploits & PoCs

1
Exploit-DB
Wildfly - 'WEB-INF' / 'META-INF' Information Disclosure via Filter Restriction Bypass2016-03-20

📋Vendor Advisories

1
Red Hat
wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass2016-02-11

💬Community

1
Bugzilla
CVE-2016-0793 wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass2016-02-09
CVE-2016-0793 (HIGH CVSS 7.5) | Incomplete blacklist vulnerability | cvebase.io