Description

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

Remediation

References

https://access.redhat.com/errata/RHSA-2019:2935

https://access.redhat.com/errata/RHSA-2019:2936

https://access.redhat.com/errata/RHSA-2019:2937

https://access.redhat.com/errata/RHSA-2019:2938

https://access.redhat.com/errata/RHSA-2019:2998

https://access.redhat.com/errata/RHSA-2019:3044

https://access.redhat.com/errata/RHSA-2019:3045

https://access.redhat.com/errata/RHSA-2019:3046

https://access.redhat.com/errata/RHSA-2019:3050

https://access.redhat.com/errata/RHSA-2020:0727

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184

https://github.com/undertow-io/undertow/pull/794

https://security.netapp.com/advisory/ntap-20220210-0016/

Related Vulnerabilities

CVE-2022-31175 Vulnerability in npm package @ckeditor/ckeditor5-html-support

CVE-2023-37959 Vulnerability in maven package org.jenkins-ci.plugins:sumologic-publisher

CVE-2021-41303 Vulnerability in maven package org.apache.shiro:shiro-core

CVE-2022-36095 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2018-8037 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking Patch Third Party Advisory