It was discovered that when using Digest authentication, the server does not ensure that the value of the URI in the authorization header matches the URI in the HTTP request line. This allows the attacker to execute a MITM attack and access the desired content on the server.
Find out more about CVE-2017-12196 from the MITRE CVE dictionary dictionary and NIST NVD.
| CVSS3 Base Score | 4.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 7 | RHSA-2018:3768 | 2018-12-04 |
| Red Hat JBoss Fuse 6.3 | RHSA-2018:2405 | 2018-08-14 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-undertow) | RHSA-2018:0480 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) | RHSA-2018:1525 | 2018-05-15 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-undertow) | RHSA-2018:0479 | 2018-03-12 |
| Red Hat JBoss EAP 7 | RHSA-2018:0478 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | eap7-undertow | Affected |
| Red Hat Single Sign-On 7 | undertow | Under investigation |
Vulmon