Red Hat Security Advisory 2013-1194-01 - JBoss Web is the web container, based on Apache Tomcat, in Red Hat JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages and Java Servlet technologies. A flaw was found in the way the DiskFileItem class handled NULL characters in file names. A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is accessible to the user running the application server process.
6f6d113bd6057b90caa24b61b15e39fadb34cbae8328babe5c75452e98647549