Information Disclosure Through Authorization Bypass

2018-03-1602:36:22

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.003 Low

EPSS

Percentile

68.8%

JSON

undertow-core is vulnerable to information disclosure attacks through authorization bypass. The vulnerability exists as undertow-core does not validate the uri attribute in the Authorization header, allowing a man-in-the-middle (MitM) attacker to provide a bogus uri and accessing other content on the server.

CPENameOperatorVersion
undertow corele1.0.0.Alpha18
undertow corele2.0.1.Final
undertow corele1.4.23.Final
eap7-jackson-coreeq2.5.4__1.redhat_1.1.ep7.el7
eap7-jackson-coreeq2.5.4__1.redhat_1.1.ep7.el6
eap7-jackson-coreeq2.8.9__1.redhat_1.1.ep7.el6
eap7-jackson-coreeq2.8.9__1.redhat_1.1.ep7.el7
eap7-jbossws-cxfeq5.1.5__1.Final_redhat_1.1.ep7.el6
eap7-jbossws-cxfeq5.1.9__2.Final_redhat_1.1.ep7.el7
eap7-jbossws-cxfeq5.1.9__2.Final_redhat_1.1.ep7.el6

Name	Operator	Version
undertow core	le	1.0.0.Alpha18
undertow core	le	2.0.1.Final
undertow core	le	1.4.23.Final
eap7-jackson-core	eq	2.5.4__1.redhat_1.1.ep7.el7
eap7-jackson-core	eq	2.5.4__1.redhat_1.1.ep7.el6
eap7-jackson-core	eq	2.8.9__1.redhat_1.1.ep7.el6
eap7-jackson-core	eq	2.8.9__1.redhat_1.1.ep7.el7
eap7-jbossws-cxf	eq	5.1.5__1.Final_redhat_1.1.ep7.el6
eap7-jbossws-cxf	eq	5.1.9__2.Final_redhat_1.1.ep7.el7
eap7-jbossws-cxf	eq	5.1.9__2.Final_redhat_1.1.ep7.el6