Bug 1990252 (CVE-2021-3688) - CVE-2021-3688 Red Hat JBCS: URL normalization issue with dot-dot-semicolon(s) leads to information disclosure
Summary: CVE-2021-3688 Red Hat JBCS: URL normalization issue with dot-dot-semicolon(s)...
Keywords:
Status: NEW
Alias: CVE-2021-3688
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1966279
TreeView+ depends on / blocked
 
Reported: 2021-08-05 06:53 UTC by Ted Jongseok Won
Modified: 2025-05-16 08:28 UTC (History)
38 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Ted Jongseok Won 2021-08-05 06:53:54 UTC 
Red Hat JBoss Core Services(JBCS) HTTP Server does not properly normalize the path component of a request URL contains dot-dot-semicolon(s) before forwarding to the backend server. For instance, JBCS forwards a request URL '/A/..;/B' to the backend server without proper URL normalization only if the path '/A' is mapped in the JBCS configuration. The flaw causes the path '/B' to be proxied to the client. But normally it must not be proxied.
Comment 4 Huzaifa S. Sidhpurwala 2021-11-15 10:21:48 UTC 
This flaw is essentially a product of interaction of tomcat with httpd. ASF does not consider this issue as CVE worthy at this point.
Comment 7 Ted Jongseok Won 2022-07-01 03:23:09 UTC 
CVE-2021-3688 added for the JBCS fix on https://access.redhat.com/errata/RHSA-2021:4613 and https://access.redhat.com/errata/RHSA-2021:4614.
Note You need to log in before you can comment on or make changes to this bug.