Описание
A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
Отчет
This flaw in Undertow's header parsing logic allows for request smuggling attacks when Undertow is deployed behind an upstream proxy. Crafted requests can bypass security controls by being interpreted differently by Undertow and the proxy, potentially leading to unauthorized access or cache poisoning.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 4 | undertow-core | Affected | ||
| Red Hat build of Apache Camel - HawtIO 4 | undertow-core | Affected | ||
| Red Hat Data Grid 8 | undertow-core | Affected | ||
| Red Hat Enterprise Linux 10 | moditect | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-core:10.6/resteasy | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/resteasy | Not affected | ||
| Red Hat Enterprise Linux 9 | resteasy | Affected | ||
| Red Hat Fuse 7 | undertow-core | Affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | undertow-core | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 8 | org.jberet-jberet-parent | Affected |
Показывать по
Дополнительная информация
Статус:
8.7 High
CVSS3
Связанные уязвимости
A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
A flaw was found in Undertow. This vulnerability allows a remote attac ...
A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
8.7 High
CVSS3