#VU12802 Man-in-the-middle attack in Undertow - CVE-2017-12196
Published: May 17, 2018
Vulnerability identifier: #VU12802
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-12196
CWE-ID: CWE-300
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Undertow
Undertow
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line when using Digest authentication. A remote attacker can conduct man-in-the-middle attack and gin access to potentially sensitive information.
The weakness exists due to the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line when using Digest authentication. A remote attacker can conduct man-in-the-middle attack and gin access to potentially sensitive information.
Remediation
Update to versions 1.4.18.SP1, 2.0.2.Final or 1.4.24.Final.