CVE-2019-3888

Name of the Vulnerable Software and Affected Versions Undertow web server versions prior to 2.0.21

Description The issue is related to insufficient protection of registration data, which can lead to the exposure of protected information. Specifically, the vulnerability allows an attacker to disclose plain text credentials through log files. This occurs because the Connectors.executeRootHandler logs the HttpServerExchange object at the ERROR level using UndertowLogger.REQUEST LOGGER.undertowRequestFailed.

Recommendations For versions prior to 2.0.21, update to version 2.0.21 or later to resolve the issue. As a temporary workaround, consider restricting access to log files to minimize the risk of exploitation.