CVE-2017-2666

EUVD-2018-0639

27.07.2018, 14:29

It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

HTTP Request/Response Smuggling

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
redhat	CNA	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 80%

Affected Products (NVD)

Vendor	Product	Version
redhat	undertow	-
redhat	jboss_enterprise_application_platform	7.0.0
redhat	jboss_enterprise_application_platform	7.1.0
redhat	jboss_enterprise_application_platform	7.0.0
redhat	jboss_enterprise_application_platform	7.1.0
debian	debian_linux	9.0
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

undertow

sid	2.3.8-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

undertow

artful	not-affected
bionic	not-affected
cosmic	not-affected
disco	not-affected
eoan	not-affected
focal	not-affected
groovy	not-affected
hirsute	not-affected
impish	not-affected
jammy	not-affected
kinetic	not-affected
lunar	dne
mantic	dne
noble	needs-triage
trusty	dne
xenial	needed
yakkety	ignored
zesty	Fixed 1.4.8-1+deb9u1build0.17.04.1 released