CVE-2017-12196
It was discovered that when using Digest authentication, the server does not ensure that the value of the URI in the authorization header matches the URI in the HTTP request line. This allows the attacker to execute a MITM attack and access the desired content on the server.
Find out more about CVE-2017-12196 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 4.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 6.3 | RHSA-2018:2405 | 2018-08-14 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-undertow) | RHSA-2018:0480 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) | RHSA-2018:1525 | 2018-05-15 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-undertow) | RHSA-2018:0479 | 2018-03-12 |
| Red Hat JBoss EAP 7 | RHSA-2018:0478 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | eap7-undertow | Affected |
| Red Hat Single Sign-On 7 | undertow | Under investigation |
