Vulnerability in Undertow Affects Multiple Versions by Red Hat
CVE-2017-7559

6.1MEDIUM

Key Information:

Vendor
Red Hat
Status
Undertow
Vendor
CVE Published:
10 January 2018

Summary

In specific versions of Undertow, a flaw exists due to inadequate validation of query string and path parameters. This allows for the injection of invalid characters which can be exploited with a proxy that interprets these characters differently. Such an exploit may lead to data being injected into HTTP responses, enabling attackers to poison web caches, execute XSS attacks, or extract sensitive information from other users' requests.

Affected Version(s)

undertow 2.x before 2.0.0.Alpha2

undertow 1.4.x before 1.4.17.Final

undertow 1.3.x before 1.3.31.Final

References

https://access.redhat.com/errata/RHSA-2018:1322
vendor-advisoryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7559
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:0002
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.