Credential exposure through log files in Undertow

GHSA-jwgx-9mmh-684w · CVE-2019-3888

Published Jun 13, 2019 · Modified Feb 16, 2024

Description

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-3888
WEB https://access.redhat.com/errata/RHSA-2019:2439
WEB https://access.redhat.com/errata/RHSA-2019:2998
WEB https://access.redhat.com/errata/RHSA-2020:0727
WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3888
WEB https://security.netapp.com/advisory/ntap-20220210-0019
WEB http://www.securityfocus.com/bid/108739

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes