Critical Security Tracking Issue
Do not make this issue public.
Impact: Important
Public Date: 26-Feb-2020
Resolve Bug By: 18-Mar-2020
In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then.
Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9RBqB
Flaw:
CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1807305
A file read/inclusion vulnerability was found in AJP connector in Undertow. This is enabled with a default AJP configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).
- is documented by
-
UNDERTOW-1977 Document AJP_ALLOWED_REQUEST_ATTRIBUTES_PATTERN
-
- Open
-
- is incorporated by
-
JBEAP-18267 [GSS] (7.2.z) Upgrade Undertow from 2.0.28.SP1-redhat-00001 to 2.0.30.SP1-redhat-00001
-
- Closed
-
- links to
