Security feature bypass

2020-04-2117:15:00

PRIOn knowledge base

www.prio-n.com

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.7%

JSON

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

CPENameOperatorVersion
jboss_data_grideq7.0.0
jboss_enterprise_application_platformeq7.0.0
jboss_fuseeq6.0.0
jboss_fuseeq7.0.0
single_sign-oneq7.0
undertowlt2.1.0
undertoweq2.0.0 sp1
undertoweq2.0.25 sp1
undertoweq2.0.28 sp1
undertoweq2.0.28 sp2

Name	Operator	Version
jboss_data_grid	eq	7.0.0
jboss_enterprise_application_platform	eq	7.0.0
jboss_fuse	eq	6.0.0
jboss_fuse	eq	7.0.0
single_sign-on	eq	7.0
undertow	lt	2.1.0
undertow	eq	2.0.0 sp1
undertow	eq	2.0.25 sp1
undertow	eq	2.0.28 sp1
undertow	eq	2.0.28 sp2