Description

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

Remediation

References

https://access.redhat.com/errata/RHSA-2019:2935

https://access.redhat.com/errata/RHSA-2019:2936

https://access.redhat.com/errata/RHSA-2019:2937

https://access.redhat.com/errata/RHSA-2019:2938

https://access.redhat.com/errata/RHSA-2019:2998

https://access.redhat.com/errata/RHSA-2019:3044

https://access.redhat.com/errata/RHSA-2019:3045

https://access.redhat.com/errata/RHSA-2019:3046

https://access.redhat.com/errata/RHSA-2019:3050

https://access.redhat.com/errata/RHSA-2020:0727

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184

https://github.com/undertow-io/undertow/pull/794

https://security.netapp.com/advisory/ntap-20220210-0016/

Related Vulnerabilities

CVE-2021-40865 Vulnerability in maven package org.apache.storm:storm-server

CVE-2019-10095 Vulnerability in maven package org.apache.zeppelin:zeppelin

CVE-2019-10301 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-plugin

CVE-2021-21119 Vulnerability in maven package org.webjars.npm:electron

CVE-2022-45384 Vulnerability in maven package org.jenkins-ci.plugins:reverse-proxy-auth-plugin

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking Patch Third Party Advisory