SB2025030774 - openEuler update for undertow
Published: March 7, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Man-in-the-middle attack (CVE-ID: CVE-2017-12196)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line when using Digest authentication. A remote attacker can conduct man-in-the-middle attack and gin access to potentially sensitive information.
2) Directory listing (CVE-ID: CVE-2019-10184)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect handling of requests without trailing slashes in the api. A remote attacker can send a specially crafted HTTP request to the affected server and predict directory structure.
3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2019-10212)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists in Undertow DEBUG log implementation for io.undertow.request.security that stored user's credentials in plain text in a world-readable file. A local user can view contents of the debug file and gain access to login and passwords of Undertow users.
Remediation
Install update from vendor's website.