CVE-2021-3688

2022-08-2616:15:09

CWE-200

CWE-22

[email protected]

web.nvd.nist.gov

red hat

jboss core services

http server

vulnerability

data confidentiality

integrity

cve-2021-3688

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.9%

JSON

A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolon(s). This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Affected configurations

Vulners

NVD

Node

http_server_projecthttp_serverRange≤2.4.37

VendorProductVersionCPE
http_server_projecthttp_server*cpe:2.3:a:http_server_project:http_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
http_server_project	http_server	*	cpe:2.3:a:http_server_project:http_server::::::::

CNA Affected

[
  {
    "product": "Red Hat JBCS HTTP Server",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in jbcs-httpd-2.4.37.SP10 GA"
      }
    ]
  }
]