[MAVEN:GHSA-P9W3-GWC2-CR49] HTTP Request Smuggling in Undertow

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.

Package	Affected Version
pkg:maven/io.undertow/undertow-core	<= 2.1.0.Final

Package	Fixed Version
pkg:maven/io.undertow/undertow-core	= 2.2.0.Final

ID: MAVEN:GHSA-P9W3-GWC2-CR49
Severity: moderate
URL: https://github.com/advisories/GHSA-p9w3-gwc2-cr49
Published: 2021-04-30T17:28:52
(3 years ago)
Modified: 2023-02-01T05:05:39
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-10687
			https://bugzilla.redhat.com/show_bug.cgi?id=1785049
			https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c@%3Cdev.cxf.apache.org%3E
			https://security.netapp.com/advisory/ntap-20220210-0015/
			https://github.com/advisories/GHSA-p9w3-gwc2-cr49

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/io.undertow/undertow-core	io.undertow	undertow-core	<= 2.1.0.Final
Fixed	pkg:maven/io.undertow/undertow-core	io.undertow	undertow-core	= 2.2.0.Final

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date