A potential directory traversal vulnerability in JBoss EAP was discovered. Initial tests determined that appending "/..;/" to a request will return the JBoss EAP welcome page from the / directory.
Is this issue fixed upstream in undertow? Is there an upstream fixing commit and/or upstream issue to track this?
This is apparently fixed in 2.3.12. I don't know why RedHat never communicates properly about security issues. https://issues.redhat.com/browse/UNDERTOW-2339