Lucene search

[email protected]NVD:CVE-2020-1757

HistoryApr 21, 2020 - 5:15 p.m.

CVE-2020-1757

2020-04-2117:15:12

CWE-20

CWE-200

[email protected]

web.nvd.nist.gov

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

27.5%

JSON

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

Affected configurations

Nvd

Node

redhatundertowRange<2.1.0

redhatundertowMatch2.0.0sp1

redhatundertowMatch2.0.25sp1

redhatundertowMatch2.0.26sp3

redhatundertowMatch2.0.28sp1

redhatundertowMatch2.0.28sp2

Node

redhatjboss_data_gridMatch7.0.0

redhatjboss_enterprise_application_platformMatch7.0.0

redhatjboss_fuseMatch6.0.0

redhatjboss_fuseMatch7.0.0

redhatopenshift_application_runtimesMatch-

redhatsingle_sign-onMatch7.0

VendorProductVersionCPE
redhatundertow*cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
redhatundertow2.0.0cpe:2.3:a:redhat:undertow:2.0.0:sp1:*:*:*:*:*:*
redhatundertow2.0.25cpe:2.3:a:redhat:undertow:2.0.25:sp1:*:*:*:*:*:*
redhatundertow2.0.26cpe:2.3:a:redhat:undertow:2.0.26:sp3:*:*:*:*:*:*
redhatundertow2.0.28cpe:2.3:a:redhat:undertow:2.0.28:sp1:*:*:*:*:*:*
redhatundertow2.0.28cpe:2.3:a:redhat:undertow:2.0.28:sp2:*:*:*:*:*:*
redhatjboss_data_grid7.0.0cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform7.0.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
redhatjboss_fuse6.0.0cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
redhatjboss_fuse7.0.0cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	undertow	*	cpe:2.3:a:redhat:undertow::::::::
redhat	undertow	2.0.0	cpe:2.3:a:redhat:undertow:2.0.0:sp1::::::
redhat	undertow	2.0.25	cpe:2.3:a:redhat:undertow:2.0.25:sp1::::::
redhat	undertow	2.0.26	cpe:2.3:a:redhat:undertow:2.0.26:sp3::::::
redhat	undertow	2.0.28	cpe:2.3:a:redhat:undertow:2.0.28:sp1::::::
redhat	undertow	2.0.28	cpe:2.3:a:redhat:undertow:2.0.28:sp2::::::
redhat	jboss_data_grid	7.0.0	cpe:2.3:a:redhat:jboss_data_grid:7.0.0:::::::*
redhat	jboss_enterprise_application_platform	7.0.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
redhat	jboss_fuse	6.0.0	cpe:2.3:a:redhat:jboss_fuse:6.0.0:::::::*
redhat	jboss_fuse	7.0.0	cpe:2.3:a:redhat:jboss_fuse:7.0.0:::::::*