Servlet Path Normalization Flaw in Undertow Server Products
CVE-2020-1757

8.1HIGH

Key Information:

Vendor: Red Hat
Status: Undertow
Vendor: CVE Published:; 21 April 2020

Summary

A flaw exists in the Undertow server that affects multiple versions, where the servlet container incorrectly normalizes the servlet path. This occurs due to the truncation of the path after a semicolon, potentially allowing a security bypass within application mappings. This vulnerability can lead malicious actors to exploit application behavior and compromise security configurations.

Affected Version(s)

undertow all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1

undertow all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 21, 2020
Vulnerability Reserved
Nov 27, 2019