An update for undertow is now available for openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1257 Final 1.0 1.0 2025-03-07 Initial 2025-03-07 2025-03-07 openEuler SA Tool V1.0 2025-03-07 undertow security update An update for undertow is now available for openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS Java web server using non-blocking IO Security Fix(es): undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.(CVE-2017-12196) undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.(CVE-2019-10184) A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.(CVE-2019-10212) An update for undertow is now available for openEuler-24.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical undertow https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1257 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2017-12196 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-10184 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2019-10212 https://nvd.nist.gov/vuln/detail/CVE-2017-12196 https://nvd.nist.gov/vuln/detail/CVE-2019-10184 https://nvd.nist.gov/vuln/detail/CVE-2019-10212 openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS undertow-1.4.0-10.oe2403sp1.noarch.rpm undertow-javadoc-1.4.0-10.oe2403sp1.noarch.rpm undertow-1.4.0-9.oe2003sp4.noarch.rpm undertow-javadoc-1.4.0-9.oe2003sp4.noarch.rpm undertow-1.4.0-9.oe2203sp3.noarch.rpm undertow-javadoc-1.4.0-9.oe2203sp3.noarch.rpm undertow-1.4.0-9.oe2203sp4.noarch.rpm undertow-javadoc-1.4.0-9.oe2203sp4.noarch.rpm undertow-1.4.0-10.oe2403.noarch.rpm undertow-javadoc-1.4.0-10.oe2403.noarch.rpm undertow-1.4.0-10.oe2403sp1.src.rpm undertow-1.4.0-9.oe2003sp4.src.rpm undertow-1.4.0-9.oe2203sp3.src.rpm undertow-1.4.0-9.oe2203sp4.src.rpm undertow-1.4.0-10.oe2403.src.rpm undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server. 2025-03-07 CVE-2017-12196 openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N undertow security update 2025-03-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1257 undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. 2025-03-07 CVE-2019-10184 openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N undertow security update 2025-03-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1257 A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. 2025-03-07 CVE-2019-10212 openEuler-24.03-LTS-SP1 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H undertow security update 2025-03-07 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1257