CVE-2019-10184

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://access.redhat.com/errata/RHSA-2019:2935	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:2936	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:2937	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:2938	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:2998	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:3044	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:3045	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:3046	Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:3050	Vendor Advisory
https://access.redhat.com/errata/RHSA-2020:0727	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184	Issue Tracking Vendor Advisory
https://github.com/undertow-io/undertow/pull/794	Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20220210-0016/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:redhat:jboss_data_grid:-::::text-only:::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:-::::text-only:::
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
	cpe:2.3:a:redhat:openshift_application_runtimes:-::::text-only:::
	cpe:2.3:a:redhat:openshift_application_runtimes:1.0:::::::*
	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
	cpe:2.3:a:redhat:single_sign-on:7.0:::::::*

Configuration 3 (hide)

AND

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:::::::*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:::::::*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:::::::*
	cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:::::::*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Configuration 9 (hide)

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::

History

No history.

Information

Published : 2019-07-25 21:15

Updated : 2024-02-28 17:08

NVD link : CVE-2019-10184

Mitre link : CVE-2019-10184

CVE.ORG link : CVE-2019-10184

JSON object : View

Products Affected

redhat

enterprise_linux
jboss_data_grid
undertow
jboss_enterprise_application_platform
openshift_application_runtimes
single_sign-on

netapp

active_iq_unified_manager

CWE

CWE-862

Missing Authorization

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2019-10184

7.5^/10

5.0^/10

Attach tags to `CVE-2019-10184`