Search for vulnerabilities
Vulnerability details: VCID-cnm8-ugx1-3ug6
Vulnerability ID VCID-cnm8-ugx1-3ug6
Aliases CVE-2017-12196
GHSA-cp7v-vmv7-6x2q
Summary undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-863 Incorrect Authorization
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-287 Improper Authentication
System Score Found at
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2018:0478
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:0478
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2018:0479
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:0479
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2018:0480
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:0480
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2018:0481
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:0481
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2018:1525
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:1525
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2018:2405
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:2405
cvssv3.1 5.9 https://access.redhat.com/errata/RHSA-2018:3768
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:3768
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12196.json
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00401 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00401 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00401 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss 0.00401 https://api.first.org/data/v1/epss?cve=CVE-2017-12196
cvssv3.1 5.9 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-cp7v-vmv7-6x2q
cvssv3.1 5.9 https://github.com/undertow-io/undertow
generic_textual MODERATE https://github.com/undertow-io/undertow
cvssv3.1 5.9 https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
generic_textual MODERATE https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
cvssv3.1 5.9 https://issues.jboss.org/browse/UNDERTOW-1190
generic_textual MODERATE https://issues.jboss.org/browse/UNDERTOW-1190
cvssv2 4.3 https://nvd.nist.gov/vuln/detail/CVE-2017-12196
cvssv3 5.9 https://nvd.nist.gov/vuln/detail/CVE-2017-12196
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2017-12196
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2017-12196
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:1525
https://access.redhat.com/errata/RHSA-2018:2405
https://access.redhat.com/errata/RHSA-2018:3768
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12196.json
https://api.first.org/data/v1/epss?cve=CVE-2017-12196
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
https://github.com/undertow-io/undertow
https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f
https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
https://issues.jboss.org/browse/UNDERTOW-1190
https://nvd.nist.gov/vuln/detail/CVE-2017-12196
1503055 https://bugzilla.redhat.com/show_bug.cgi?id=1503055
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:1.4.24:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow:1.4.24:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:2.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
GHSA-cp7v-vmv7-6x2q https://github.com/advisories/GHSA-cp7v-vmv7-6x2q
RHSA-2020:2561 https://access.redhat.com/errata/RHSA-2020:2561
RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:0478
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:0479
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:0480
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:0481
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:1525
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:2405
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3768
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12196.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/undertow-io/undertow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://issues.jboss.org/browse/UNDERTOW-1190
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-12196
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-12196
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-12196
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.4552
EPSS Score 0.00226
Published At Aug. 3, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T07:58:41.318562+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 37.0.0