It was found that paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Created springframework tracking bugs for this issue:
Affects: fedora-all [bug 1408165]
Could not find any uses for ResourceServlet in Red Hat Mobile Application Platform. Marking as not affected.
EAP 5 is in Extended Life Support phase, so we won't fix this moderate issue on that product.
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2017:3115 https://access.redhat.com/errata/RHSA-2017:3115