Miggo Logo
Miggo Vulnerability Database
CVE-2019-3888

CVE-2019-3888: Credential exposure through log files in Undertow

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-3888
GHSA ID
GHSA-jwgx-9mmh-684w
EPSS Score
0.67599%
CWE
CWE-532
Published
6/13/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.undertow:undertow-coremaven< 2.0.212.0.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from error logging that captures sensitive data in HttpServerExchange. The CVE description directly identifies Connectors.executeRootHandler line 402 as the vulnerable location where UndertowLogger.REQUEST_LOGGER.undertowRequestFailed() is called with the exchange object. This function would appear in stack traces when logging occurs during error handling scenarios, making it the primary runtime indicator. While the logger method itself (undertowRequestFailed) is involved, the root cause is the execution context in Connectors.executeRootHandler that passes sensitive data to the logger.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in Un**rtow w** s*rv*r ***or* *.*.**. *n in*orm*tion *xposur* o* pl*in t*xt *r***nti*ls t*rou** lo* *il*s ****us* *onn**tors.*x**ut*Root**n*l*r:*** lo*s t** *ttpS*rv*r*x***n** o*j**t *t *RROR l*v*l usin* Un**rtowLo***r.R*QU*

Reasoning

T** vuln*r**ility st*ms *rom *rror lo**in* t**t **ptur*s s*nsitiv* **t* in `*ttpS*rv*r*x***n**`. T** *V* **s*ription *ir**tly i**nti*i*s `*onn**tors.*x**ut*Root**n*l*r` lin* *** *s t** vuln*r**l* lo**tion w**r* `Un**rtowLo***r.R*QU*ST_LO***R.un**rtow