Lucene search

RedhatCVE-2020-1710

HistorySep 16, 2020 - 3:15 p.m.

CVE-2020-1710

2020-09-1615:15:12

redhat

web.nvd.nist.gov

116

jboss eap

cve-2020-1710

parsing issue

rfc7230

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

35.9%

JSON

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.

Affected configurations

Nvd

Vulners

Node

redhatjboss_data_gridMatch-text-only

redhatjboss_data_gridMatch7.0.0

redhatjboss_enterprise_application_platformMatch-text-only

redhatjboss_enterprise_application_platformMatch6.4.21

redhatjboss_enterprise_application_platformMatch7.0.0

redhatjboss_enterprise_application_platformMatch7.2.0

redhatjboss_enterprise_application_platformMatch7.3.0

redhatopenshift_application_runtimesMatch-

redhatsingle_sign-onMatch-text-only

VendorProductVersionCPE
redhatjboss_data_grid-cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*
redhatjboss_data_grid7.0.0cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform-cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*
redhatjboss_enterprise_application_platform6.4.21cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.21:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.0.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.2.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.3.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
redhatopenshift_application_runtimes-cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*
redhatsingle_sign-on-cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*

Vendor	Product	Version	CPE
redhat	jboss_data_grid	-	cpe:2.3:a:redhat:jboss_data_grid:-::::text-only:::
redhat	jboss_data_grid	7.0.0	cpe:2.3:a:redhat:jboss_data_grid:7.0.0:::::::*
redhat	jboss_enterprise_application_platform	-	cpe:2.3:a:redhat:jboss_enterprise_application_platform:-::::text-only:::
redhat	jboss_enterprise_application_platform	6.4.21	cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.21:::::::*
redhat	jboss_enterprise_application_platform	7.0.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
redhat	jboss_enterprise_application_platform	7.2.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:::::::*
redhat	jboss_enterprise_application_platform	7.3.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:::::::*
redhat	openshift_application_runtimes	-	cpe:2.3:a:redhat:openshift_application_runtimes:-:::::::*
redhat	single_sign-on	-	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::

CNA Affected

[
  {
    "product": "JBoss Enterprise Application Platform",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "EAP 6.4.21"
      }
    ]
  }
]

References

bugzilla.redhat.com/show_bug.cgi?id=1793970

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

35.9%

JSON

Related for CVE-2020-1710