Описание
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass.
Меры по смягчению последствий
The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting "alwaysUseFullPath".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6 | undertow | Out of support scope | ||
| Red Hat JBoss Fuse 6 | undertow | Affected | ||
| Red Hat OpenShift Application Runtimes | undertow | Affected | ||
| Red Hat Process Automation 7 | undertow | Not affected | ||
| Red Hat Data Grid 7.3.7 | undertow | Fixed | RHSA-2020:3779 | 17.09.2020 |
| Red Hat Fuse 7.7.0 | undertow | Fixed | RHSA-2020:3192 | 28.07.2020 |
| Red Hat JBoss EAP 7 | undertow-core | Fixed | RHSA-2020:2515 | 10.06.2020 |
| Red Hat JBoss EAP 7.2 | undertow-core | Fixed | RHSA-2020:2061 | 11.05.2020 |
| Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | eap7-undertow | Fixed | RHSA-2024:5856 | 26.08.2024 |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | eap7-activemq-artemis | Fixed | RHSA-2020:2058 | 11.05.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow- ...
EPSS
8.1 High
CVSS3