VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-db55-1gpe-aaah

Essentials
Severities (112)
References (25)
Severity details (12)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-db55-1gpe-aaah
Aliases	CVE-2017-12196 GHSA-cp7v-vmv7-6x2q
Summary	Incorrect Authorization When using `Digest` authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-863	Incorrect Authorization
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-287	Improper Authentication

System	Score	Found at
rhas	Important	https://access.redhat.com/errata/RHSA-2018:0478
rhas	Important	https://access.redhat.com/errata/RHSA-2018:0479
rhas	Important	https://access.redhat.com/errata/RHSA-2018:0480
rhas	Important	https://access.redhat.com/errata/RHSA-2018:0481
rhas	Important	https://access.redhat.com/errata/RHSA-2018:1525
rhas	Critical	https://access.redhat.com/errata/RHSA-2018:2405
rhas	Important	https://access.redhat.com/errata/RHSA-2018:3768
rhas	Critical	https://access.redhat.com/errata/RHSA-2020:2561
rhas	Important	https://access.redhat.com/errata/RHSA-2020:2562
cvssv3	4.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12196.json
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00401	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
epss	0.00911	https://api.first.org/data/v1/epss?cve=CVE-2017-12196
rhbs	medium	https://bugzilla.redhat.com/show_bug.cgi?id=1503055
cvssv3.1	5.9	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
generic_textual	MODERATE	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-cp7v-vmv7-6x2q
cvssv3.1	7.5	https://github.com/undertow-io/undertow
generic_textual	HIGH	https://github.com/undertow-io/undertow
cvssv3.1	5.9	https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
generic_textual	MODERATE	https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
cvssv3.1	5.9	https://issues.jboss.org/browse/UNDERTOW-1190
generic_textual	MODERATE	https://issues.jboss.org/browse/UNDERTOW-1190
cvssv2	4.3	https://nvd.nist.gov/vuln/detail/CVE-2017-12196
cvssv3	5.9	https://nvd.nist.gov/vuln/detail/CVE-2017-12196

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12196.json
		https://api.first.org/data/v1/epss?cve=CVE-2017-12196
		https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196
		https://github.com/undertow-io/undertow
		https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f
		https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870
		https://issues.jboss.org/browse/UNDERTOW-1190
1503055		https://bugzilla.redhat.com/show_bug.cgi?id=1503055
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:::::::*
cpe:2.3:a:redhat:jboss_fuse:6.0.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_fuse:6.0.0:::::::*
cpe:2.3:a:redhat:undertow::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow::::::::
cpe:2.3:a:redhat:undertow:1.4.24:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow:1.4.24:::::::*
cpe:2.3:a:redhat:undertow:2.0.2:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow:2.0.2:::::::*
cpe:2.3:a:redhat:virtualization:4.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:virtualization:4.0:::::::*
CVE-2017-12196		https://nvd.nist.gov/vuln/detail/CVE-2017-12196
GHSA-cp7v-vmv7-6x2q		https://github.com/advisories/GHSA-cp7v-vmv7-6x2q
RHSA-2018:0478		https://access.redhat.com/errata/RHSA-2018:0478
RHSA-2018:0479		https://access.redhat.com/errata/RHSA-2018:0479
RHSA-2018:0480		https://access.redhat.com/errata/RHSA-2018:0480
RHSA-2018:0481		https://access.redhat.com/errata/RHSA-2018:0481
RHSA-2018:1525		https://access.redhat.com/errata/RHSA-2018:1525
RHSA-2018:2405		https://access.redhat.com/errata/RHSA-2018:2405
RHSA-2018:3768		https://access.redhat.com/errata/RHSA-2018:3768
RHSA-2020:2561		https://access.redhat.com/errata/RHSA-2020:2561
RHSA-2020:2562		https://access.redhat.com/errata/RHSA-2020:2562

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12196.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12196

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://issues.jboss.org/browse/UNDERTOW-1190

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-12196

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-12196

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.69197
EPSS Score	0.00284
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.