CVE-2020-1757

HIGH8.1EPSS 0.46%

Improper Input Validation in Undertow

Published: 5/24/2022Modified: 11/8/2023

Also known as:GHSA-2w73-fqqj-c92pDEBIAN-CVE-2020-1757

Description

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

Affected packages (2)

Debian/undertowfrom 0, < 2.1.0-1
Maven/io.undertow:undertow-corefrom 0, < 2.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-1757
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-1757
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757