PT-2018-8406 · Red Hat · Undertow

Published

2018-01-10

Updated

2022-05-13

CVE-2017-7559

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Undertow versions 1.3.x before 1.3.31.Final Undertow versions 1.4.x before 1.4.17.Final Undertow versions 2.x before 2.0.0.Alpha2

Description The issue allows invalid characters in the query string and path parameters. This could be exploited to inject data into the HTTP response, potentially leading to web-cache poisoning, XSS attacks, or obtaining sensitive information from other requests.

Recommendations For Undertow versions 1.3.x before 1.3.31.Final, update to version 1.3.31.Final or later. For Undertow versions 1.4.x before 1.4.17.Final, update to version 1.4.17.Final or later. For Undertow versions 2.x before 2.0.0.Alpha2, update to version 2.0.0.Alpha2 or later.

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

CVE-2017-7559

GHSA-RJ76-H87P-R3WF

RHSA-2017:3454

RHSA-2017:3455

RHSA-2017:3458

RHSA-2018:0002

RHSA-2018:0004

RHSA-2018:0005

Affected Products

Undertow

PT-2018-8406 · Red Hat · Undertow

CVE-2017-7559

Weakness Enumeration

Related Identifiers

Affected Products

References · 20