Candidate: CVE-2019-3888
PublicDate: 2019-06-12 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3888
 https://github.com/undertow-io/undertow/pull/736
Description:
 A vulnerability was found in Undertow web server before 2.0.21. An
 information exposure of plain text credentials through log files because
 Connectors.executeRootHandler:402 logs the HttpServerExchange object at
 ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t,
 exchange)
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930349
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_undertow:
 upstream: https://github.com/undertow-io/undertow/pull/736/commits/20cacc96c0594f4f4f9bb1cc2b93a77b6be3f74c
upstream_undertow: needs-triage
precise/esm_undertow: DNE
trusty_undertow: ignored (out of standard support)
trusty/esm_undertow: DNE
xenial_undertow: ignored (end of standard support, was needed)
bionic_undertow: needed
cosmic_undertow: ignored (reached end-of-life)
disco_undertow: ignored (reached end-of-life)
eoan_undertow: released (2.0.23-1)
focal_undertow: released (2.0.23-1)
groovy_undertow: released (2.0.23-1)
hirsute_undertow: released (2.0.23-1)
impish_undertow: released (2.0.23-1)
jammy_undertow: released (2.0.23-1)
devel_undertow: released (2.0.23-1)