Candidate: CVE-2017-12196
PublicDate: 2018-04-18 01:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12196
 https://bugzilla.redhat.com/show_bug.cgi?id=1503055
Description:
 undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found
 vulnerable when using Digest authentication, the server does not ensure
 that the value of URI in the Authorization header matches the URI in HTTP
 request line. This allows the attacker to cause a MITM attack and access
 the desired content on the server.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_undertow:
upstream_undertow: released (1.4.25-1)
precise/esm_undertow: DNE
trusty_undertow: DNE
trusty/esm_undertow: DNE
xenial_undertow: ignored (end of standard support, was needed)
artful_undertow: ignored (reached end-of-life)
bionic_undertow: needed
cosmic_undertow: not-affected (1.4.25-1)
disco_undertow: not-affected (1.4.25-1)
eoan_undertow: not-affected (1.4.25-1)
focal_undertow: not-affected (1.4.25-1)
groovy_undertow: not-affected (1.4.25-1)
hirsute_undertow: not-affected (1.4.25-1)
impish_undertow: not-affected (1.4.25-1)
jammy_undertow: not-affected (1.4.25-1)
devel_undertow: not-affected (1.4.25-1)