When using a "Digest" authentication, server does not ensure that value of the "uri" attribute in "Authorization" header matches URI in HTTP request line. This can be exploitedby an attacker as a MITM attack to access desired content on server.
Acknowledgments: Name: Jan Stourac (Red Hat)
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481
Hello Bharti, the upstream bug JBEAP-13313 is not public. Could you share more information with us about the implications of CVE-2017-12196, which versions of undertow are affected, what was the first fixed version and what commit actually addressed the issue. Thanks, Markus
(In reply to Markus Koschany from comment #13) > Hello Bharti, > > the upstream bug JBEAP-13313 is not public. Could you share more information > with us about the implications of CVE-2017-12196, which versions of undertow > are affected, what was the first fixed version and what commit actually > addressed the issue. > > Thanks, > > Markus Hi Markus, I have requested the public facing JIRA for this.Once I have any information I will update you.
(In reply to Bharti Kundal from comment #15) > (In reply to Markus Koschany from comment #13) > > Hello Bharti, > > > > the upstream bug JBEAP-13313 is not public. Could you share more information > > with us about the implications of CVE-2017-12196, which versions of undertow > > are affected, what was the first fixed version and what commit actually > > addressed the issue. > > > > Thanks, > > > > Markus > > Hi Markus, > > I have requested the public facing JIRA for this.Once I have any information > I will update you. Hi Markus, Here is the JIRA https://issues.jboss.org/browse/UNDERTOW-1190.Let me know if you have the access now.
Thank you. I can access the bug report now.
This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1525 https://access.redhat.com/errata/RHSA-2018:1525
This issue has been addressed in the following products: Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7 Via RHSA-2018:2405 https://access.redhat.com/errata/RHSA-2018:2405
This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
RHSSO rebased to fixed version in 7.2.4
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2561 https://access.redhat.com/errata/RHSA-2020:2561
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562