CVE-2019-10184

Aliases:GHSA-w69w-jvc7-wjgv

Advisory lineage Upstream: 0 Downstream: 8

Downstream

DEBIAN-CVE-2019-10184 RHSA-2019:2935 RHSA-2019:2936 RHSA-2019:2937 RHSA-2019:3044 RHSA-2019:3045

Modified

Published: 25 Jul 2019, 20:35

Last modified:04 Aug 2024, 22:10

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

1.48% LOW

1% probability +0.80%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

25 Jul 2019, 20:35

Published

Vulnerability first disclosed

04 Aug 2024, 22:10

Last Modified

Vulnerability information updated

Description

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v3.0•MEDIUM•Score: 5.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 1.48%• Percentile: 81%

Techniques & Countermeasures

CWE-862•Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Affected Systems

io.undertow•undertow-servlet
< 2.0.23
netapp•active_iq_unified_manager
na
redhat•jboss_data_grid
na
redhat•jboss_enterprise_application_platform
na | 7.0.0 | 7.2 | 7.3 | 7.4
redhat•openshift_application_runtimes
na | 1.0
redhat•single_sign-on
na | 7.0 | 7.3
redhat•undertow
< 2.0.23
undertow-io•undertow
fixed in 2.0.23.Final