Information Exposure

Affecting io.undertow:undertow-core artifact, versions [,2.0.21.Final)

Do your applications use this vulnerable package? Test your applications

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Information Exposure via the DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user’s credentials from the log files.

Remediation

Upgrade io.undertow:undertow-core to version 2.0.21.Final or higher.

References

CVSS Score

4.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
Credit
Unknown
CVE
CVE-2019-10212
CWE
CWE-200
Snyk ID
SNYK-JAVA-IOUNDERTOW-471684
Disclosed
02 Oct, 2019
Published
03 Oct, 2019