Description

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

Remediation

References

https://access.redhat.com/errata/RHSA-2019:2935

https://access.redhat.com/errata/RHSA-2019:2936

https://access.redhat.com/errata/RHSA-2019:2937

https://access.redhat.com/errata/RHSA-2019:2938

https://access.redhat.com/errata/RHSA-2019:2998

https://access.redhat.com/errata/RHSA-2019:3044

https://access.redhat.com/errata/RHSA-2019:3045

https://access.redhat.com/errata/RHSA-2019:3046

https://access.redhat.com/errata/RHSA-2019:3050

https://access.redhat.com/errata/RHSA-2020:0727

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184

https://github.com/undertow-io/undertow/pull/794

https://security.netapp.com/advisory/ntap-20220210-0016/

Related Vulnerabilities

CVE-2021-32012 Vulnerability in npm package xlsx

CVE-2022-43766 Vulnerability in maven package org.apache.iotdb:iotdb-server

CVE-2012-4529 Vulnerability in maven package org.jboss.as:jboss-as-web

CVE-2014-0096 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2017-15707 Vulnerability in maven package org.apache.struts:struts2-core

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking Patch Third Party Advisory