PT-2020-12284 · Red Hat · Undertow

Published

2020-09-23

·

Updated

2022-02-22

·

CVE-2020-10687

CVSS v2.0

5.8

Medium

VectorAV:N/AC:M/Au:N/C:P/I:P/A:N
Name of the Vulnerable Software and Affected Versions Undertow versions prior to 2.2.0.Final
Description A flaw was discovered in Undertow that allows HTTP request smuggling against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This issue can be exploited to poison a web-cache, perform a cross-site scripting (XSS) attack, or obtain sensitive information from requests other than the attacker's own.
Recommendations For versions prior to 2.2.0.Final, update to Undertow 2.2.0.Final to resolve the issue. As a temporary workaround, consider restricting HTTP requests to prevent invalid characters from being processed until a patch is available.

Fix

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

CVE-2020-10687
GHSA-P9W3-GWC2-CR49
RHSA-2020:3461
RHSA-2020:3462
RHSA-2020:3463
RHSA-2020:3637
RHSA-2020:3638
RHSA-2020:3639
RHSA-2021:0872
RHSA-2021:0873
RHSA-2021:0874

Affected Products

Undertow