CVE-2019-3888

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)

Published: Jun 12, 2019
Updated: May 9, 2024
CVE: CVE-2019-3888
GHSA: GHSA-jwgx-9mmh-684w
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-532

Affected Software
References

Software	From	Fixed in
redhat / undertow	-	2.0.21
redhat / virtualization	4.0	4.0.x
redhat / virtualization_host	4.0	4.0.x
io.undertow / undertow-core	-	2.0.21

http://www.securityfocus.com/bid/108739
https://access.redhat.com/errata/RHSA-2019:2439
https://access.redhat.com/errata/RHSA-2019:2998
https://access.redhat.com/errata/RHSA-2020:0727
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3888
https://security.netapp.com/advisory/ntap-20220210-0019/

Vulnerability Database

289,599

CVE-2019-3888