CVE-2017-7559
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-7559
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7559.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-7559
- Aliases
- Related
- Published
- 2018-01-10T15:29:00Z
- Modified
- 2024-09-03T01:55:46.627198Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
- References
-
- https://access.redhat.com/errata/RHSA-2017:3454
- https://access.redhat.com/errata/RHSA-2017:3455
- https://access.redhat.com/errata/RHSA-2017:3456
- https://access.redhat.com/errata/RHSA-2017:3458
- https://access.redhat.com/errata/RHSA-2018:0002
- https://access.redhat.com/errata/RHSA-2018:0003
- https://access.redhat.com/errata/RHSA-2018:0004
- https://access.redhat.com/errata/RHSA-2018:0005
- https://access.redhat.com/errata/RHSA-2018:1322
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7559
- https://issues.jboss.org/browse/UNDERTOW-1251
Affected packages
Git / github.com/undertow-io/undertow
Affected versions
1.*
1.3.0.Final
1.3.1.Final
1.3.10.Final
1.3.11.Final
1.3.12.Final
1.3.13.Final
1.3.14.Final
1.3.15.Final
1.3.16.Final
1.3.17.Final
1.3.18.Final
1.3.19.Final
1.3.2.Final
1.3.20.Final
1.3.21.Final
1.3.22.Final
1.3.23.Final
1.3.24.Final
1.3.25.Final
1.3.26.Final
1.3.27.Final
1.3.28.Final
1.3.3.Final
1.3.30.Final
1.3.5.Final
1.3.6.Final
1.3.7.Final
1.3.8.Final
1.3.9.Final