Описание
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
A flaw was discovered in Undertow where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Application Platform Continuous Delivery | wildfly-undertow | Out of support scope | ||
| Red Hat JBoss Fuse 6 | wildfly-undertow | Out of support scope | ||
| Red Hat Fuse 7.7.0 | Fixed | RHSA-2020:3192 | 28.07.2020 | |
| Red Hat JBoss Enterprise Application Platform 7 | wildfly-undertow | Fixed | RHSA-2020:3642 | 07.09.2020 |
| Red Hat JBoss Enterprise Application Platform 7 | Fixed | RHSA-2021:0885 | 16.03.2021 | |
| Red Hat JBoss Enterprise Application Platform 7 | wildfly-undertow | Fixed | RHSA-2020:3464 | 17.08.2020 |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | eap7-dom4j | Fixed | RHSA-2020:3637 | 07.09.2020 |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | eap7-elytron-web | Fixed | RHSA-2020:3637 | 07.09.2020 |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | eap7-glassfish-jsf | Fixed | RHSA-2020:3637 | 07.09.2020 |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | eap7-hal-console | Fixed | RHSA-2020:3637 | 07.09.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
A flaw was discovered in all versions of Undertow before Undertow 2.2. ...
EPSS
4.8 Medium
CVSS3