CVE-2017-12196

Description

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2018:0479	vendor advisory
https://access.redhat.com/errata/RHSA-2018:0481	vendor advisory
https://access.redhat.com/errata/RHSA-2018:2405	vendor advisory
https://access.redhat.com/errata/RHSA-2018:1525	vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196	vendor advisory issue tracking
https://access.redhat.com/errata/RHSA-2018:0480	vendor advisory
https://issues.jboss.org/browse/UNDERTOW-1190	issue tracking
https://access.redhat.com/errata/RHSA-2018:3768	vendor advisory
https://access.redhat.com/errata/RHSA-2018:0478	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2017-12196?: CVE-2017-12196 has been scored as a medium severity vulnerability.
How to fix CVE-2017-12196?: To fix CVE-2017-12196, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-12196 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2017-12196 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2017-12196?: CVE-2017-12196 affects unspecified undertow.

Description

Categories

CWE-287 – Improper Authentication

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions