The servletPath is normalized by the Servlet container, and truncated after the semicolon, leading to a partial servletPath. Leading to a full path "/api/public/aa/secret" and servletPath "/api/public/aa" leading to application mapping "/secret". This can lead to a security bypass depending on where and how URL-based security is applied.
Acknowledgments: Name: Fedorov Oleksii (LINE Corporation), Keitaro Yamazaki (LINE Corporation), Shiga Ryota (LINE Corporation)
Hi Ist here any more information available on this issue? Is it reported upstream and fixed? I'm interested to track this issue in other downstreams (in my case Debian) as we ship underdow as well. Regards, Salvatore
Hello Salvatore, This issue was reported to us by our private request tracker. All the information available was distilled into this flaw. Perhaps discussing the specifics with @krathod or @chazlett from the analysis team would be a good approach.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:2058 https://access.redhat.com/errata/RHSA-2020:2058
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:2059 https://access.redhat.com/errata/RHSA-2020:2059
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:2060 https://access.redhat.com/errata/RHSA-2020:2060
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2061 https://access.redhat.com/errata/RHSA-2020:2061
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1757
This issue has been addressed in the following products: Red Hat Single Sign On 7.3.8 Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512
Mitigation: The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting "alwaysUseFullPath".
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
This issue has been addressed in the following products: Red Hat Data Grid 7.3.7 Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779