Bug 1413028 – CVE-2017-2595 wildfly: Arbitrary file read via path traversal

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1413028 - (CVE-2017-2595) CVE-2017-2595 wildfly: Arbitrary file read via path traversal

Summary:	CVE-2017-2595 wildfly: Arbitrary file read via path traversal

Status:	NEW

Aliases:	CVE-2017-2595

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170607,repor...
Keywords:	Security

Depends On:	1415787 1415786
Blocks:	1413031 1461888 1520314
	Show dependency tree / graph

Reported:	2017-01-13 07:39 EST by Adam Mariš
Modified:	2018-10-19 17:39 EDT (History)
CC List:	25 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:1409	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform security update	2017-06-07 16:37:27 EDT
Red Hat Product Errata	RHSA-2017:1410	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 7.0.6 on Red Hat Enterprise Linux 6	2017-06-07 17:00:45 EDT
Red Hat Product Errata	RHSA-2017:1411	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 7.0.6 on Red Hat Enterprise Linux 7	2017-06-07 16:58:48 EDT
Red Hat Product Errata	RHSA-2017:1412	normal	SHIPPED_LIVE	Moderate: eap7-jboss-ec2-eap security update	2017-06-07 17:22:17 EDT
Red Hat Product Errata	RHSA-2017:1548	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 6.4.16 update on RHEL 7	2017-06-20 16:03:51 EDT
Red Hat Product Errata	RHSA-2017:1549	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 6.4.16 update on RHEL 6	2017-06-20 16:00:34 EDT
Red Hat Product Errata	RHSA-2017:1550	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 6.4.16 update on RHEL 5	2017-06-20 15:57:08 EDT
Red Hat Product Errata	RHSA-2017:1551	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform security update	2017-06-20 15:46:11 EDT
Red Hat Product Errata	RHSA-2017:1552	normal	SHIPPED_LIVE	Moderate: jboss-ec2-eap security, bug fix, and enhancement update	2017-06-20 16:28:16 EDT
Red Hat Product Errata	RHSA-2017:3454	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update	2017-12-13 17:48:09 EST
Red Hat Product Errata	RHSA-2017:3455	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update	2017-12-13 17:57:25 EST
Red Hat Product Errata	RHSA-2017:3456	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update	2017-12-13 17:31:03 EST
Red Hat Product Errata	RHSA-2017:3458	normal	SHIPPED_LIVE	Important: eap7-jboss-ec2-eap security update	2017-12-13 18:26:13 EST

Groups: None (edit)

Description Adam Mariš 2017-01-13 07:39:46 EST

A vulnerability in log file viewer of Wildfly server 10.x.x allowing arbitrary file read to authenticated attacker via path traversal was found.

Comment 6 errata-xmlrpc 2017-06-07 12:38:33 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0

Via RHSA-2017:1409 https://rhn.redhat.com/errata/RHSA-2017-1409.html

Comment 7 errata-xmlrpc 2017-06-07 13:04:54 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:1411 https://access.redhat.com/errata/RHSA-2017:1411

Comment 8 errata-xmlrpc 2017-06-07 13:05:52 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:1410 https://access.redhat.com/errata/RHSA-2017:1410

Comment 9 errata-xmlrpc 2017-06-07 13:23:04 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:1412 https://access.redhat.com/errata/RHSA-2017:1412

Comment 10 errata-xmlrpc 2017-06-20 11:47:40 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4

Via RHSA-2017:1551 https://rhn.redhat.com/errata/RHSA-2017-1551.html

Comment 11 errata-xmlrpc 2017-06-20 12:08:35 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:1550 https://access.redhat.com/errata/RHSA-2017:1550

Comment 12 errata-xmlrpc 2017-06-20 12:09:53 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1549 https://access.redhat.com/errata/RHSA-2017:1549

Comment 13 errata-xmlrpc 2017-06-20 12:11:11 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:1548 https://access.redhat.com/errata/RHSA-2017:1548

Comment 14 errata-xmlrpc 2017-06-20 12:29:45 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1552 https://access.redhat.com/errata/RHSA-2017:1552

Comment 15 errata-xmlrpc 2017-12-13 12:34:34 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 16 errata-xmlrpc 2017-12-13 13:27:01 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 17 errata-xmlrpc 2017-12-13 13:42:58 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 18 errata-xmlrpc 2017-12-13 13:49:27 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Note You need to log in before you can comment on or make changes to this bug.

amaris
bbaranow
bmaxwell
cdewolf
chazlett
csutherl
dandread
darran.lofthouse
dosoudil
fnasser
jason.greene
jawilson
jpallich
jshepherd
lgao
myarboro
pgier
pjelinek
psakar
pslavice
rnetuka
rsvoboda
security-response-team
twalsh
vtunka