Vulnerability Name:

CVE-2020-1710

Assigned:2019-11-27
Published:2020-09-16
Updated:2020-09-22
Summary:The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
References:Source: MITRE
Type: CNA
CVE-2020-1710

Source: MISC
Type: Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1793970

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*
  • OR cpe:/a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:6.4.21:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2020-1710 (CCN-188393)

    Assigned:2019-11-27
    Published:2020-09-11
    Updated:2020-09-22
    Summary:The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
    CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
    4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Low
    Availibility (A): None
    7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
    6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): None
    Integrity (I): High
    Availibility (A): None
    CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Authentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Partial
    Availibility (A): None
    7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Athentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Complete
    Availibility (A): None
    Vulnerability Type:CWE-Other
    Vulnerability Consequences:Bypass Security
    References:Source: MITRE
    Type: CNA
    CVE-2020-1710

    Source: CCN
    Type: Red Hat Bugzilla – Bug 1793970
    (CVE-2020-1710) - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230

    Source: MISC
    Type: Issue Tracking, Vendor Advisory
    https://bugzilla.redhat.com/show_bug.cgi?id=1793970

    Source: CCN
    Type: Red Hat Web site
    JBoss EAP

    Source: XF
    Type: UNKNOWN
    redhat-jboss-cve20201710-sec-bypass(188393)

    BACK
    redhat jboss data grid -
    redhat jboss data grid 7.0.0
    redhat jboss enterprise application platform -
    redhat jboss enterprise application platform 6.4.21
    redhat jboss enterprise application platform 7.0.0
    redhat jboss enterprise application platform 7.2.0
    redhat jboss enterprise application platform 7.3.0
    redhat openshift application runtimes -
    redhat single sign-on -