CVE-2018-14642 — Sensitive Information Exposure in RED HAT Undertow

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.7%

top 27.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow RED HAT Undertow Redhat Jboss Enterprise Application Platform

Timeline

PublishedSep 18

Latest updateMay 13

Description

An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Debianredhat/undertow< 2.0.23-1

▶CVEListV5red_hat/undertown/a

▶NVDredhat/jboss_enterprise_application_platform7.1, 7.2, 7.3+2

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

Exposure of Sensitive Information to an Unauthorized Actor in Undertow↗2022-05-13

▶

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in Undertow↗2022-05-13

▶

OSV

CVE-2018-14642: An information leak vulnerability was found in Undertow↗2018-09-18

▶

CVEList

CVE-2018-14642: An information leak vulnerability was found in Undertow↗2018-09-18

▶

📋Vendor Advisories

Red Hat

undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer↗2018-09-14

▶

Debian

CVE-2018-14642: undertow - An information leak vulnerability was found in Undertow. If all headers are not ...↗2018

▶

💬Community

Bugzilla

CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer↗2018-09-13

▶