CVE-2018-14642
Published: 18 September 2018
An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.
Priority
Status
Package | Release | Status |
---|---|---|
undertow Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Released
(2.0.23-1)
|
|
focal |
Released
(2.0.23-1)
|
|
groovy |
Released
(2.0.23-1)
|
|
hirsute |
Released
(2.0.23-1)
|
|
impish |
Released
(2.0.23-1)
|
|
jammy |
Released
(2.0.23-1)
|
|
kinetic |
Released
(2.0.23-1)
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |