WildFly does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability. Upstream Issue: https://issues.jboss.org/browse/WFCORE-3938 External Reference: https://snyk.io/research/zip-slip-vulnerability
Statement: This vulnerability can only be exploited by users with deployment permissions.
Created wildfly-common tracking bugs for this issue: Affects: epel-7 [bug 1594635] Created wildfly-core tracking bugs for this issue: Affects: fedora-all [bug 1594634]
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2277 https://access.redhat.com/errata/RHSA-2018:2277
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2276 https://access.redhat.com/errata/RHSA-2018:2276
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2018:2279 https://access.redhat.com/errata/RHSA-2018:2279
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.4 zip Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text. If this bug does not require doc text, please set the 'requires_doc_text' flag to -.
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877
This issue has been addressed in the following products: Red Hat Data Grid 7.3.6 Via RHSA-2020:2321 https://access.redhat.com/errata/RHSA-2020:2321
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562