Описание
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
A flaw was discovered in JBoss EAP, where it does not process the header field-name in accordance with RFC7230. Whitespace between the header field-name and colon is processed, resulting in an HTTP response code of 200 instead of a bad request of 400.
Меры по смягчению последствий
There is currently no known mitigation for this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | undertow | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | jbossweb | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | jbossweb | Out of support scope | ||
| Red Hat JBoss Web Server 3 | tomcat | Not affected | ||
| Red Hat JBoss Web Server 5 | tomcat | Not affected | ||
| Red Hat OpenShift Application Runtimes | undertow | Affected | ||
| Red Hat Process Automation 7 | undertow | Not affected | ||
| Red Hat Single Sign-On 7 | undertow | Affected | ||
| Red Hat Data Grid 7.3.7 | undertow | Fixed | RHSA-2020:3779 | 17.09.2020 |
| Red Hat JBoss Enterprise Application Platform 7 | undertow-core | Fixed | RHSA-2020:3642 | 07.09.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
EPSS
7.5 High
CVSS3