CVE-2019-10212 — Potential to access user credentials from the log files when debug logging enabl

Description

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

How to fix CVE-2019-10212

To remediate CVE-2019-10212, upgrade the affected package to a fixed version below.

Debian/undertow—upgrade to 2.0.27-1 or later
—upgrade to 2.0.20 or later

Is CVE-2019-10212 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.0.27-1
from 0, < 2.0.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10212
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-10212
WEBaccess.redhat.com/errata/RHSA-2019:2998
WEBaccess.redhat.com/errata/RHSA-2020:0727
WEB