CVE-2020-1745 is a vulnerability in Red Hat Undertow
Published on April 28, 2020
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
Vulnerability Analysis
CVE-2020-1745 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2020-1745 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2020-1745
Want to know whenever a new CVE is published for Red Hat Undertow? stack.watch will email you.
Affected Versions
undertow-io undertow Version <= 2.0.29.Final is affected by CVE-2020-1745Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.