CVE-2018-14642 — Exposure of Sensitive Information to an Unauthorized Actor in Undertow

Description

An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

How to fix CVE-2018-14642

To remediate CVE-2018-14642, upgrade the affected package to a fixed version below.

—upgrade to 2.0.23-1 or later
—upgrade to 2.0.19.FINAL or later

Is CVE-2018-14642 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.0.23-1
from 0, < 2.0.19.FINAL

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-14642
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-14642
WEBaccess.redhat.com/errata/RHSA-2019:0362
WEBaccess.redhat.com/errata/RHSA-2019:0364
WEB