Because Java's URL class does not normalize paths, and because the code never checks for .. segments, a request containing ../../ in its path will cause the backend to receive a URL that escapes the ...
This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS). Attack vector: More severe the more the remote (logically and ...