CVE-2021-3688

Опубликовано: 05 авг. 2021

Источник: redhat

CVSS3: 4.8

Описание

A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolon(s). This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Меры по смягчению последствий

Manually add LocationMatch directive to deny any possible problem requests in the JBCS httpd configuration. For example:

<LocationMatch ".*\.\.;.*"> Require all denied </LocationMatch>

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	httpd	Not affected
Red Hat Enterprise Linux 7	httpd	Not affected
Red Hat Enterprise Linux 8	httpd	Not affected
Red Hat Enterprise Linux 8	httpd:2.4/httpd	Not affected
Red Hat Enterprise Linux 8	pki-deps:10.6/pki-servlet-container	Not affected
Red Hat Enterprise Linux 9	httpd	Not affected
Red Hat JBoss Enterprise Application Platform 6	httpd22	Out of support scope
Red Hat Software Collections	httpd24-httpd	Not affected
JBoss Core Services for RHEL 8	jbcs-httpd24-apr	Fixed	RHSA-2021:4614	10.11.2021
JBoss Core Services for RHEL 8	jbcs-httpd24-apr-util	Fixed	RHSA-2021:4614	10.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-200

https://bugzilla.redhat.com/show_bug.cgi?id=1990252JBCS: URL normalization issue with dot-dot-semicolon(s) leads to information disclosure

4.8 Medium

CVSS3

Связанные уязвимости

CVE-2021-3688

CVSS3: 4.8

nvd

больше 3 лет назад

GHSA-f3rq-463v-2j36

CVSS3: 9.1

github

больше 3 лет назад

4.8 Medium

CVSS3