CVE-2020-1757

Summary

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

Affected Software

VendorProductVersion RangeStatus
Red Hatundertowall undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1affected
Red Hatundertowall undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Finalaffected

Weaknesses

  • CWE-20: CWE-20
  • CWE-200: CWE-200

ADP Enrichment

CVE Program Container

Additional References

References