CVE-2020-1757

8.1HIGH

Key Information:

Vendor: Red Hat
Status: Undertow
Vendor: CVE Published:; 21 April 2020

Summary

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

Affected Version(s)

undertow all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1

undertow all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 21, 2020
Vulnerability Reserved
Nov 27, 2019

Collectors

NVD DatabaseMitre Database