#VU21469 Inclusion of Sensitive Information in Log Files in Undertow


Published: 2019-10-01

Vulnerability identifier: #VU21469

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10212

CWE-ID: CWE-532

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Undertow
Server applications / Web servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in Undertow DEBUG log implementation for io.undertow.request.security that stored user's credentials in plain text in a world-readable file. A local user can view contents of the debug file and gain access to login and passwords of Undertow users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Undertow: 1.0.0 - 2.0.20


CPE

External links
http://access.redhat.com/errata/RHSA-2019:2936


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability