{"containers": {"cna": {"affected": [{"product": "undertow", "vendor": "unspecified", "versions": [{"status": "affected", "version": "undertow 1.4.18.SP1"}, {"status": "affected", "version": " undertow 2.0.2.Final"}, {"status": "affected", "version": " undertow 1.4.24.Final"}]}], "datePublic": "2018-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-12-05T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2018:0479", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"name": "RHSA-2018:0481", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"name": "RHSA-2018:2405", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"name": "RHSA-2018:1525", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196"}, {"name": "RHSA-2018:0480", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.jboss.org/browse/UNDERTOW-1190"}, {"name": "RHSA-2018:3768", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"name": "RHSA-2018:0478", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:0478"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-12196", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "undertow", "version": {"version_data": [{"version_value": "undertow 1.4.18.SP1"}, {"version_value": " undertow 2.0.2.Final"}, {"version_value": " undertow 1.4.24.Final"}]}}]}, "vendor_name": ""}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server."}]}, "impact": {"cvss": [[{"vectorString": "4.8/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:0479", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"name": "RHSA-2018:0481", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"name": "RHSA-2018:2405", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"name": "RHSA-2018:1525", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196"}, {"name": "RHSA-2018:0480", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"name": "https://issues.jboss.org/browse/UNDERTOW-1190", "refsource": "CONFIRM", "url": "https://issues.jboss.org/browse/UNDERTOW-1190"}, {"name": "RHSA-2018:3768", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"name": "RHSA-2018:0478", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:0478"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:28:16.713Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:0479", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"name": "RHSA-2018:0481", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"name": "RHSA-2018:2405", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"name": "RHSA-2018:1525", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196"}, {"name": "RHSA-2018:0480", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.jboss.org/browse/UNDERTOW-1190"}, {"name": "RHSA-2018:3768", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"name": "RHSA-2018:0478", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:0478"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-12196", "datePublished": "2018-04-18T01:00:00", "dateReserved": "2017-08-01T00:00:00", "dateUpdated": "2024-08-05T18:28:16.713Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EB2078E-40F6-4DAD-A307-E141E1CFB313", "versionEndIncluding": "1.4.18", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:1.4.24:*:*:*:*:*:*:*", "matchCriteriaId": "36FE5FE4-37B9-4FD7-A3FB-59DD4C6E372E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:undertow:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "C5270A0F-6A16-4ACE-8650-493D91A41EC4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server."}, {"lang": "es", "value": "Se ha descubierto que undertow, en sus versiones 1.4.18.SP1, 2.0.2.Final y 1.4.24.Final, es vulnerable al usar la autenticaci\u00f3n Digest, ya que el servidor no garantiza que el valor del URI en la cabecera Authorization coincida con el URIb en la l\u00ednea de petici\u00f3n HTTP. Esto permite que el atacante provoque un ataque Man-in-the-Middle (MitM) y acceda al contenido que desee en el servidor."}], "id": "CVE-2017-12196", "lastModified": "2024-11-21T03:09:01.960", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-18T01:29:01.443", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0478"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://issues.jboss.org/browse/UNDERTOW-1190"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0478"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0479"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:0481"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1525"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2405"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3768"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://issues.jboss.org/browse/UNDERTOW-1190"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Jan Stourac (Red Hat).", "affected_release": [{"advisory": "RHSA-2018:3768", "cpe": "cpe:/a:redhat:jboss_fuse:7", "product_name": "Red Hat Fuse 7.2", "release_date": "2018-12-04T00:00:00Z"}, {"advisory": "RHSA-2018:2405", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "undertow", "product_name": "Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7", "release_date": "2018-08-14T00:00:00Z"}, {"advisory": "RHSA-2018:0478", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "package": "undertow", "product_name": "Red Hat JBoss EAP 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-activemq-artemis-0:1.5.5.009-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-apache-cxf-0:3.1.13-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-glassfish-jsf-0:2.2.13-6.SP5_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-hibernate-0:5.1.12-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-infinispan-0:8.2.9-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-ironjacamar-0:1.4.7-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jackson-annotations-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jackson-core-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jackson-databind-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jackson-jaxrs-providers-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jackson-module-jaxb-annotations-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jackson-modules-java8-0:2.8.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jboss-logmanager-0:2.0.8-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jboss-server-migration-0:1.0.3-6.Final_redhat_6.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jbossws-cxf-0:5.1.10-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-narayana-0:5.5.31-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-picketlink-bindings-0:2.5.5-10.SP9_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-picketlink-federation-0:2.5.5-10.SP9_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-resteasy-0:3.0.25-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-undertow-0:1.4.18-4.SP2_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-undertow-jastow-0:2.0.3-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-0:7.1.1-4.GA_redhat_2.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-elytron-0:1.1.8-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-http-client-0:1.0.9-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-javadocs-0:7.1.1-3.GA_redhat_2.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wss4j-0:2.1.11-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0479", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-xml-security-0:2.0.9-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jboss-ec2-eap-0:7.1.1-3.1.GA_redhat_3.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-activemq-artemis-0:1.5.5.009-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-apache-cxf-0:3.1.13-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-glassfish-jsf-0:2.2.13-6.SP5_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-hibernate-0:5.1.12-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-infinispan-0:8.2.9-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-ironjacamar-0:1.4.7-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jackson-annotations-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jackson-core-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jackson-databind-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jackson-jaxrs-providers-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jackson-module-jaxb-annotations-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jackson-modules-java8-0:2.8.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jboss-logmanager-0:2.0.8-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jboss-server-migration-0:1.0.3-6.Final_redhat_6.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jbossws-cxf-0:5.1.10-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-narayana-0:5.5.31-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-picketlink-bindings-0:2.5.5-10.SP9_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-picketlink-federation-0:2.5.5-10.SP9_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-resteasy-0:3.0.25-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-undertow-0:1.4.18-4.SP2_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-undertow-jastow-0:2.0.3-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-0:7.1.1-4.GA_redhat_2.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-elytron-0:1.1.8-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-http-client-0:1.0.9-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-javadocs-0:7.1.1-3.GA_redhat_2.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wss4j-0:2.1.11-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0480", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-xml-security-0:2.0.9-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2018:0481", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jboss-ec2-eap-0:7.1.1-3.1.GA_redhat_3.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-03-12T00:00:00Z"}, {"advisory": "RHSA-2020:2561", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_cd:12", "package": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform Continuous Delivery", "release_date": "2020-06-15T00:00:00Z"}, {"advisory": "RHSA-2020:2562", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_cd:13", "package": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform Continuous Delivery", "release_date": "2020-06-15T00:00:00Z"}, {"advisory": "RHSA-2018:1525", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package": "rhvm-appliance-0:4.2-20180504.0", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2018-05-15T00:00:00Z"}], "bugzilla": {"description": "undertow: Client can use bogus uri in Digest authentication", "id": "1503055", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1503055"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-287", "details": ["undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.", "It was discovered that when using Digest authentication, the server does not ensure that the value of the URI in the authorization header matches the URI in the HTTP request line. This allows the attacker to execute a MITM attack and access the desired content on the server."], "name": "CVE-2017-12196", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Will not fix", "package_name": "camel", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:fuse_integration_services:2", "fix_state": "Affected", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse Integration Service 2"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2018-03-12T15:56:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-12196\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-12196"], "threat_severity": "Moderate"}