CVE-2024-1459: 
Java vulnerability analysis and mitigation

A path traversal vulnerability was discovered in Undertow (CVE-2024-1459), first reported on February 12, 2024. The vulnerability affects applications deployed to JBoss EAP (Enterprise Application Platform) and allows remote attackers to append specially-crafted sequences to HTTP requests, potentially enabling access to privileged or restricted files and directories (NVD, Red Hat).

The vulnerability is classified as a path traversal issue (CWE-24) with a CVSS v3.1 base score of 5.3 (MEDIUM). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low confidentiality impact (C:L) and no impact on integrity (I:N) or availability (A:N) (NVD). Initial testing revealed that appending '/..;/' to a request could return the JBoss EAP welcome page from the root directory (Red Hat Bugzilla).

When successfully exploited, this vulnerability could lead to unauthorized access to privileged or restricted files and directories, potentially resulting in the disclosure of sensitive information (NVD, NetApp Security).

The vulnerability has been fixed in Undertow versions 2.2.30.SP1, 2.3.11.SP1, 2.3.12.Final, and 2.2.31.Final. Users are advised to upgrade to these or later versions. Security updates have been released through various Red Hat JBoss EAP channels, including RHSA-2024:1674, RHSA-2024:1675, RHSA-2024:1676, and RHSA-2024:1677 (Red Hat, NetApp Security).