CVE-2019-10184

CWE-862 — Missing Authorization8 documents7 sources

Severity

7.5HIGH

EPSS

1.4%

top 19.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow Undertow-io Undertow Redhat Jboss Enterprise Application Platform +2 more

Timeline

PublishedJul 25

Latest updateAug 1

Description

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶NVDredhat/undertow< 2.0.23

▶Mavenio.undertow:undertow-servlet< 2.0.23

▶Debianundertow< 2.0.23-1

▶CVEListV5undertow-io/undertowfixed in 2.0.23.Final

▶NVDredhat/single_sign-on7.0, 7.3+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Undertow Missing Authorization when requesting a protected directory without trailing slash↗2019-08-01

▶

OSV

Undertow Missing Authorization when requesting a protected directory without trailing slash↗2019-08-01

▶

OSV

CVE-2019-10184: undertow before version 2↗2019-07-25

▶

CVEList

CVE-2019-10184: undertow before version 2↗2019-07-25

▶

📋Vendor Advisories

Red Hat

undertow: Information leak in requests for directories without trailing slashes↗2019-07-24

▶

Debian

CVE-2019-10184: undertow - undertow before version 2.0.23.Final is vulnerable to an information leak issue....↗2019

▶

💬Community

Bugzilla

CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes↗2019-05-22

▶