CVE-2019-3888

CRITICAL

Redhat Undertow < 2.0.21 - Log Information Exposure

Title source: rule

Description

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)

References (6)

Core 6

Core References

Issue Tracking, Vendor Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3888

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108739

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2439

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2998

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2020:0727

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20220210-0019/

Scores

CVSS v3 9.8

EPSS 0.0058

EPSS Percentile 68.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-532

Status published

Products (7)

io.undertow/undertow-core 0 - 2.0.21Maven

netapp/active_iq_unified_manager (3 CPE variants)

redhat/jboss_data_grid

redhat/openshift_application_runtimes

redhat/undertow < 2.0.21

redhat/virtualization 4.0

redhat/virtualization_host 4.0

Published Jun 12, 2019

Tracked Since Feb 18, 2026