CVE-2017-7559

6.1MEDIUM

Key Information:

Vendor
Red Hat
Status
Undertow
Vendor
CVE Published:
10 January 2018

Summary

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

Affected Version(s)

undertow 2.x before 2.0.0.Alpha2

undertow 1.4.x before 1.4.17.Final

undertow 1.3.x before 1.3.31.Final

References

https://access.redhat.com/errata/RHSA-2018:1322
vendor-advisoryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7559
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:0002
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.