Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcDd2LXZtdjctNngycc4AARke
Incorrect Authorization in Undertow
Undertow before versions 1.4.18.SP1 (not findable in Maven), 2.0.2.Final, and 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.
Permalink: https://github.com/advisories/GHSA-cp7v-vmv7-6x2qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcDd2LXZtdjctNngycc4AARke
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-cp7v-vmv7-6x2q, CVE-2017-12196
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12196
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:1525
- https://access.redhat.com/errata/RHSA-2018:2405
- https://access.redhat.com/errata/RHSA-2018:3768
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
- https://issues.jboss.org/browse/UNDERTOW-1190
- https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
- https://github.com/advisories/GHSA-cp7v-vmv7-6x2q
Blast Radius: 22.0
Affected Packages
maven:io.undertow:undertow-core
Dependent packages: 912Dependent repositories: 5,259
Downloads:
Affected Version Ranges: <= 1.4.23.Final, >= 2.0.0.Alpha1, <= 2.0.1.Final
Fixed in: 1.4.24.Final, 2.0.2.FInal
All affected versions: 1.4.2-0.Final, 1.4.2-1.Final, 1.4.2-2.Final, 1.4.2-3.Final
All unaffected versions: