Undertow Missing Authorization when requesting a protected directory without trailing slash

2019-08-0119:18:16

Google

osv.dev

8.2 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.0%

JSON

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

CPENameOperatorVersion
io.undertow:undertow-servleteq1.4.0.CR4
io.undertow:undertow-servleteq1.3.0.Beta12
io.undertow:undertow-servleteq1.2.12.Final
io.undertow:undertow-servleteq1.0.0.Beta13
io.undertow:undertow-servleteq1.1.0.CR2
io.undertow:undertow-servleteq1.4.25.Final
io.undertow:undertow-servleteq1.4.4.Final
io.undertow:undertow-servleteq1.4.9.Final
io.undertow:undertow-servleteq1.0.0.Beta19
io.undertow:undertow-servleteq1.0.0.Beta24

Name	Operator	Version
io.undertow:undertow-servlet	eq	1.4.0.CR4
io.undertow:undertow-servlet	eq	1.3.0.Beta12
io.undertow:undertow-servlet	eq	1.2.12.Final
io.undertow:undertow-servlet	eq	1.0.0.Beta13
io.undertow:undertow-servlet	eq	1.1.0.CR2
io.undertow:undertow-servlet	eq	1.4.25.Final
io.undertow:undertow-servlet	eq	1.4.4.Final
io.undertow:undertow-servlet	eq	1.4.9.Final
io.undertow:undertow-servlet	eq	1.0.0.Beta19
io.undertow:undertow-servlet	eq	1.0.0.Beta24