Описание
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
Отчет
Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1938
Меры по смягчению последствий
Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | undertow | Not affected | ||
| Red Hat JBoss Fuse 6 | undertow | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | undertow | Affected | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Will not fix | ||
| Red Hat Process Automation 7 | undertow | Not affected | ||
| EAP-CD 19 Tech Preview | undertow | Fixed | RHSA-2020:2333 | 28.05.2020 |
| Red Hat Data Grid 7.3.7 | undertow | Fixed | RHSA-2020:3779 | 17.09.2020 |
| Red Hat Fuse 7.7.0 | undertow | Fixed | RHSA-2020:3192 | 28.07.2020 |
| Red Hat JBoss EAP 7 | undertow-core | Fixed | RHSA-2020:2515 | 10.06.2020 |
| Red Hat JBoss EAP 7.2 | undertow-core | Fixed | RHSA-2020:0812 | 12.03.2020 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.6 High
CVSS3
Связанные уязвимости
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
A file inclusion vulnerability was found in the AJP connector enabled ...
Уязвимость сервиса AJP Connector сервера приложений Apache Tomcat, позволяющая нарушителю получить несанкционированный доступ на чтения файлов веб-приложений
EPSS
7.6 High
CVSS3