CVE-2020-1757

2020-04-2117:15:12

Google

osv.dev

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.5 Medium

AI Score

Confidence

Low

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

25.9%

JSON

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

CPENameOperatorVersion
undertoweq1.3.0.Beta6
undertoweq1.0.2.Final
undertoweq1.0.0.Alpha9
undertoweq1.0.0.Alpha21
undertoweq1.0.0.Beta33
undertoweq1.0.0.Alpha2
undertoweq1.0.0.Beta21
undertoweq1.0.0.Beta11
undertoweq2.0.7.Final
undertoweq1.0.0.Alpha6

Name	Operator	Version
undertow	eq	1.3.0.Beta6
undertow	eq	1.0.2.Final
undertow	eq	1.0.0.Alpha9
undertow	eq	1.0.0.Alpha21
undertow	eq	1.0.0.Beta33
undertow	eq	1.0.0.Alpha2
undertow	eq	1.0.0.Beta21
undertow	eq	1.0.0.Beta11
undertow	eq	2.0.7.Final
undertow	eq	1.0.0.Alpha6