HttpServer and HttpClient Vulnerability in Eclipse Vert.x by Eclipse Foundation
CVE-2018-12537

5.3MEDIUM

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Vert.x
Vendor: CVE Published:; 14 August 2018

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-12537?

Eclipse Vert.x versions 3.0 to 3.5.1 contain a vulnerability in which the HttpServer and HttpClient fail to properly filter carriage return and line feed characters from response and request header values. This oversight allows attackers to inject new headers into client requests or server responses, leading to potential security risks such as HTTP response splitting or cache poisoning. Organizations using affected versions should apply the recommended updates to mitigate these risks.

Affected Version(s)

Eclipse Vert.x 3.0

Eclipse Vert.x <= 3.5.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-12537
Created by tafamace

References

https://github.com/eclipse/vert.x/commit/1bb6445226c39a95...

x_refsource_CONFIRM

https://www.compass-security.com/fileadmin/Datein/Researc...

x_refsource_MISC

https://access.redhat.com/errata/RHSA-2018:2371

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 19, 2018
👾
Exploit known to exist
Nov 19, 2018
Vulnerability published
Aug 14, 2018
Vulnerability Reserved
Jun 18, 2018

The Eclipse Foundation

Badges

What is CVE-2018-12537?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline