Lucene search

K
f5F5F5:K73059510
HistoryMay 12, 2020 - 12:00 a.m.

K73059510 : Undertow vulnerabilities CVE-2019-10212 and CVE-2020-1745

2020-05-1200:00:00
my.f5.com
7

AI Score

7.3

Confidence

Low

EPSS

0.01

Percentile

83.7%

Security Advisory Description

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user’s credentials from the log files.

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.

Impact

There is no impact; F5 products are not affected by this vulnerability.