Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[UNDERTOW-2339] CVE-2024-1459 Path segment "/..;" should not be treated as "/.." #1556

Merged
merged 1 commit into from
Feb 21, 2024
Merged

[UNDERTOW-2339] CVE-2024-1459 Path segment "/..;" should not be treated as "/.." #1556

merged 1 commit into from
Feb 21, 2024

Conversation

fl4via
Copy link
Member

@fl4via fl4via commented Feb 21, 2024

Proxies such as httpd proxy do not resolve the path segment "/..;/" to be a double dot segment, so they would pass such request path unchanged to target server. Undertow on the other hand resolves "/..;/" as double dot, which can cause essentially a path traversal problem, where client can request resources that should not be available to him per proxy configuration.

Jira: https://issues.redhat.com/browse/UNDERTOW-2339

@TomasHofman @fl4via
[UNDERTOW-2339] CVE-2024-1459 Path segment "/..;" should not be treat…
9b7c503 
…ed as "/.."

Proxies such as httpd proxy do not resolve the path segment "/..;/" to
be a double dot segment, so they would pass such request path unchanged
to target server. Undertow on the other hand resolves "/..;/" as double
dot, which can cause essentially a path traversal problem, where client
can request resources that should not be available to him per proxy
configuration.

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via fl4via added bug fix Contains bug fix(es) next release This PR will be merged before next release or has already been merged (for payload double check) waiting CI check Ready to be merged but waiting for CI check and removed waiting CI check Ready to be merged but waiting for CI check labels Feb 21, 2024
@fl4via fl4via merged commit 54f3e43 into undertow-io:master Feb 21, 2024
25 checks passed
@fl4via fl4via deleted the UNDERTOW-2339 branch February 21, 2024 05:48
@fl4via fl4via mentioned this pull request Feb 21, 2024
Merged
@fl4via fl4via removed the next release This PR will be merged before next release or has already been merged (for payload double check) label Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug fix Contains bug fix(es)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fl4via @TomasHofman