1224787 – (CVE-2015-3198) CVE-2015-3198 JBOSS: JSP source code leak when a slash added at the end of the URL

Bug 1224787 (CVE-2015-3198) - CVE-2015-3198 JBOSS: JSP source code leak when a slash added at the end of the URL

Summary: CVE-2015-3198 JBOSS: JSP source code leak when a slash added at the end of th...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2015-3198
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-25 17:48 UTC by Fabio Olive Leite
Modified:	2019-09-29 13:33 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-22 12:14:21 UTC
Embargoed:

Attachments	(Terms of Use)

Description Fabio Olive Leite 2015-05-25 17:48:17 UTC

A flaw was reported in the Undertow module of WildFly that leaks the
source code of a JSP page when a trailing slash (/) is added to the
end of its URL.

This issue did not affect any versions of Red Hat JBoss Enterprise
Application Platform because this flaw only affects the Undertow web
module; JBoss EAP uses JBoss Web.

Comment 1 Fabio Olive Leite 2015-05-25 17:53:32 UTC

References:
https://issues.jboss.org/browse/WFLY-4595

Comment 3 Timothy Walsh 2015-07-22 12:11:00 UTC

Confirmed this is not a problem for EAP 6.4.x.

Comment 4 Timothy Walsh 2015-07-22 12:14:21 UTC

Marking this as closed.  It has been fixed in WildFly 9.0.0.CR2, 10.0.0.Alpha1.

Note You need to log in before you can comment on or make changes to this bug.