CVE-2019-10212 — Log File Information Exposure in Redhat Undertow

CWE-532 — Log File Information Exposure8 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 36.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow Redhat Jboss Data Grid Redhat Jboss Fuse +2 more

Timeline

PublishedOct 2

Latest updateNov 20

Description

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

▶NVDredhat/undertow< 2.0.20

▶Debianredhat/undertow< 2.0.27-1

▶CVEListV5redhat/undertowall under 2.0.20

▶NVDredhat/jboss_fuse7.0.0 — 7.4

▶NVDredhat/single_sign-on7.0 — 7.3

🔴Vulnerability Details

GHSA

Potential to access user credentials from the log files when debug logging enabled↗2019-11-20

▶

OSV

Potential to access user credentials from the log files when debug logging enabled↗2019-11-20

▶

CVEList

CVE-2019-10212: A flaw was found in, all under 2↗2019-10-02

▶

OSV

CVE-2019-10212: A flaw was found in, all under 2↗2019-10-02

▶

📋Vendor Advisories

Red Hat

undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files↗2019-09-30

▶

Debian

CVE-2019-10212: undertow - A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow...↗2019

▶

💬Community

Bugzilla

CVE-2019-10212 undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files↗2019-07-22

▶