Incorrect Authorization in Undertow

2022-05-1301:38:10

Google

osv.dev

0.003 Low

EPSS

Percentile

68.8%

JSON

Undertow before versions 1.4.18.SP1 (not findable in Maven), 2.0.2.Final, and 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

CPENameOperatorVersion
io.undertow:undertow-coreeq1.0.0.CR2
io.undertow:undertow-coreeq1.1.0.Beta8
io.undertow:undertow-coreeq1.0.19.Final
io.undertow:undertow-coreeq1.4.0.Final
io.undertow:undertow-coreeq1.0.0.Alpha2
io.undertow:undertow-coreeq1.0.0.Beta13
io.undertow:undertow-coreeq1.4.4.Final
io.undertow:undertow-coreeq1.0.15.Final
io.undertow:undertow-coreeq1.3.0.Beta13
io.undertow:undertow-coreeq1.3.0.Beta8

Name	Operator	Version
io.undertow:undertow-core	eq	1.0.0.CR2
io.undertow:undertow-core	eq	1.1.0.Beta8
io.undertow:undertow-core	eq	1.0.19.Final
io.undertow:undertow-core	eq	1.4.0.Final
io.undertow:undertow-core	eq	1.0.0.Alpha2
io.undertow:undertow-core	eq	1.0.0.Beta13
io.undertow:undertow-core	eq	1.4.4.Final
io.undertow:undertow-core	eq	1.0.15.Final
io.undertow:undertow-core	eq	1.3.0.Beta13
io.undertow:undertow-core	eq	1.3.0.Beta8