CVE-2017-12196

CWE-287 — Improper Authentication CWE-863 — Incorrect Authorization8 documents7 sources

Severity

5.9MEDIUM

EPSS

0.5%

top 33.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow Unspecified Undertow Redhat Jboss Enterprise Application Platform +2 more

Timeline

PublishedApr 18

Latest updateMay 13

Description

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages7 packages

▶Mavenio.undertow:undertow-core2.0.0.Alpha1 — 2.0.2.FInal+1

▶Debianundertow< 1.4.25-1

▶NVDredhat/undertow1.4.18+2

▶CVEListV5unspecified/undertowundertow 1.4.18.SP1, undertow 1.4.24.Final, undertow 2.0.2.Final+2

▶NVDredhat/jboss_fuse6.0.0

🔴Vulnerability Details

OSV

Incorrect Authorization in Undertow↗2022-05-13

▶

GHSA

Incorrect Authorization in Undertow↗2022-05-13

▶

OSV

CVE-2017-12196: undertow before versions 1↗2018-04-18

▶

CVEList

CVE-2017-12196: undertow before versions 1↗2018-04-18

▶

📋Vendor Advisories

Red Hat

undertow: Client can use bogus uri in Digest authentication↗2018-03-12

▶

Debian

CVE-2017-12196: undertow - undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnera...↗2017

▶

💬Community

Bugzilla

CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication↗2017-10-17

▶