Inclusion of Sensitive Information in Log Files in Undertow

#VU21469 Inclusion of Sensitive Information in Log Files in Undertow

Published: 2019-10-01

Vulnerability identifier: #VU21469

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10212

CWE-ID: CWE-532

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Undertow
Server applications / Web servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in Undertow DEBUG log implementation for io.undertow.request.security that stored user's credentials in plain text in a world-readable file. A local user can view contents of the debug file and gain access to login and passwords of Undertow users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Undertow: 1.0.0 - 2.0.20

CPE

cpe:2.3:a:red_hat:undertow:2.0.20:*:*:*:*:wildfly_core:*:*

External links
http://access.redhat.com/errata/RHSA-2019:2936

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

OpenSUSE Linux update for SUSE Manager Client Tools

Red Hat update for Red Hat OpenShift Application Runtimes Thorntail 2.5.0

Red Hat update for Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 8

Red Hat update for Red Hat JBoss Enterprise Application Platform 7.2.4

Red Hat update for Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 6

Red Hat update for Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 7