-
Task
-
Resolution: Done
-
High
-
Dublin Release
-
None
-
DCAE R4 Sprint 8 (RC0), DCAE R4 Sprint 9 (RC1)
Switch to version specified in last column
onap-dcaegen2-analytics-tca-gen2 | io.undertow : undertow-core : 1.4.25.Final | Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks. |
Switch to 2.0.17.Final |
- relates to
-
DCAEGEN2-1208 dcaegen2/analytics/tca-gen2 security vulnerabilities
- Closed