CVE-2020-1757

CWE-20 — Improper Input Validation CWE-200 — Information Exposure CWE-419 documents7 sources

Severity

8.1HIGH

EPSS

0.5%

top 35.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow RED HAT Undertow Redhat Jboss Data Grid +3 more

Timeline

PublishedApr 21

Latest updateMay 24

Description

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages8 packages

▶NVDredhat/undertow< 2.1.0+4

▶Mavenio.undertow:undertow-core< 2.1.0

▶Debianundertow< 2.1.0-1

▶CVEListV5red_hat/undertowall undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1+1

▶NVDredhat/jboss_enterprise_application_platform7.0.0

🔴Vulnerability Details

OSV

Improper Input Validation in Undertow↗2022-05-24

▶

GHSA

Improper Input Validation in Undertow↗2022-05-24

▶

CVEList

CVE-2020-1757: A flaw was found in all undertow-2↗2020-04-21

▶

OSV

CVE-2020-1757: A flaw was found in all undertow-2↗2020-04-21

▶

📋Vendor Advisories

Debian

CVE-2020-1757: undertow - A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1...↗2020

▶

Red Hat

undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass↗2018-12-19

▶

💬Community

Bugzilla

CVE-2020-27753 ImageMagick: memory leaks in AcquireMagickMemory function↗2020-11-03

▶

Bugzilla

CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass↗2019-09-17

▶