Headline
CVE-2019-3888: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed
A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)
Description Laura Pardo 2019-03-28 15:41:29 UTC
A vulnerability was found in Undertow web server. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)
Comment 1 Darran Lofthouse 2019-03-28 19:10:37 UTC
FYI I am not sure the route this came in but a community contributed pull request is already in the queue potentially leaking information about it’s existence https://github.com/undertow-io/undertow/pull/736
Comment 5 Laura Pardo 2019-04-10 16:55:28 UTC
Acknowledgments:
Name: Carter Kozak
Comment 6 Joshua Padman 2019-05-15 23:00:52 UTC
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 8 errata-xmlrpc 2019-06-10 16:38:57 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
Via RHSA-2019:1419 https://access.redhat.com/errata/RHSA-2019:1419
Comment 9 errata-xmlrpc 2019-06-10 16:40:56 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2019:1421 https://access.redhat.com/errata/RHSA-2019:1421
Comment 10 errata-xmlrpc 2019-06-10 16:43:12 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
Via RHSA-2019:1420 https://access.redhat.com/errata/RHSA-2019:1420
Comment 11 errata-xmlrpc 2019-06-10 16:51:52 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2019:1424 https://access.redhat.com/errata/RHSA-2019:1424
Comment 13 errata-xmlrpc 2019-06-11 15:32:35 UTC
This issue has been addressed in the following products:
Red Hat Single Sign-On 7.3.2 zip
Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456
Comment 16 Product Security DevOps Team 2019-07-12 13:06:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-3888
Comment 20 errata-xmlrpc 2019-08-12 11:54:50 UTC
This issue has been addressed in the following products:
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
Via RHSA-2019:2439 https://access.redhat.com/errata/RHSA-2019:2439
Comment 21 errata-xmlrpc 2019-10-10 09:54:40 UTC
This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes
Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998
Comment 23 errata-xmlrpc 2020-03-05 12:53:38 UTC
This issue has been addressed in the following products:
Red Hat Data Grid 7.3.3
Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727
Comment 24 errata-xmlrpc 2020-03-26 15:47:23 UTC
This issue has been addressed in the following products:
Red Hat Fuse 7.6.0
Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983