CVE-2017-12196 — MEDIUM (4.8)

Q: How severe is CVE-2017-12196?

CVE-2017-12196 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-12196?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Jboss Enterprise Application Platform, Redhat Jboss Fuse, Redhat Virtualization.

Vulnerability Description

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

CVSS Score

4.8

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Undertow	<= 1.4.18
Redhat	Jboss Enterprise Application Platform	7.0.0
Redhat	Jboss Fuse	6.0.0
Redhat	Virtualization	4.0

Related Weaknesses (CWE)

CWE-287 CWE-863

References

https://access.redhat.com/errata/RHSA-2018:0478Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0479Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0480Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0481Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1525Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2405Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3768Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196Issue TrackingVendor Advisory
https://issues.jboss.org/browse/UNDERTOW-1190Issue Tracking
https://access.redhat.com/errata/RHSA-2018:0478Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0479Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0480Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0481Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1525Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2405Vendor Advisory

FAQ

What is CVE-2017-12196?

CVE-2017-12196 is a vulnerability with a CVSS score of 4.8 (MEDIUM). undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header match...

How severe is CVE-2017-12196?

CVE-2017-12196 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-12196?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Jboss Enterprise Application Platform, Redhat Jboss Fuse, Redhat Virtualization.