Candidate: CVE-2020-1745
PublicDate: 2020-04-28 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1745
 https://bugzilla.redhat.com/show_bug.cgi?id=1807305
 https://access.redhat.com/security/cve/CVE-2020-1938
Description:
 A file inclusion vulnerability was found in the AJP connector enabled with
 a default AJP configuration port of 8009 in Undertow version 2.0.29.Final
 and before and was fixed in 2.0.30.Final. A remote, unauthenticated
 attacker could exploit this vulnerability to read web application files
 from a vulnerable server. In instances where the vulnerable server allows
 file uploads, an attacker could upload malicious JavaServer Pages (JSP)
 code within a variety of file types and trigger this vulnerability to gain
 remote code execution.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_undertow:
upstream_undertow: needs-triage
precise/esm_undertow: DNE
trusty_undertow: ignored (out of standard support)
trusty/esm_undertow: DNE
xenial_undertow: ignored (end of standard support, was needs-triage)
bionic_undertow: needs-triage
eoan_undertow: ignored (reached end-of-life)
focal_undertow: needs-triage
groovy_undertow: not-affected (2.0.30-1)
hirsute_undertow: not-affected (2.0.30-1)
impish_undertow: not-affected (2.0.30-1)
jammy_undertow: not-affected (2.0.30-1)
devel_undertow: not-affected (2.0.30-1)