Lucene search

Redhat.comRH:CVE-2021-3688

HistoryApr 06, 2023 - 8:57 a.m.

CVE-2021-3688

2023-04-0608:57:43

redhat.com

access.redhat.com

red hat jboss

http server

unauthorized access

further attacks

mitigation

locationmatch directive

jbcs httpd configuration

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

39.0%

JSON

A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolon(s). This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Mitigation

Manually add LocationMatch directive to deny any possible problem requests in the JBCS httpd configuration. For example:

&lt;LocationMatch ".*\.\.;.*"&gt;  
  Require all denied  
&lt;/LocationMatch&gt;

References

bugzilla.redhat.com/show_bug.cgi?id=1990252

nvd.nist.gov/vuln/detail/CVE-2021-3688

www.cve.org/CVERecord?id=CVE-2021-3688

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

39.0%

JSON

Related for RH:CVE-2021-3688