Main Vulnerability Database Vulnerabilities #VU7548

HTTP response splitting in Undertow - CVE-2017-2666

Published: July 17, 2017

Vulnerability identifier: #VU7548

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-2666

CWE-ID: CWE-113

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Undertow

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a phishing attack

The vulnerability exists due to an error when processing headers in HTTP requests in Undertow. A remote attacker can create a specially crafted HTTP request, split the HTTP response from server and poison the web cache.

Successful exploitation of the vulnerability may allow an attacker to poison web cache and perform phishing or XSS attacks against website visitors.

How to mitigate CVE-2017-2666

Update to version 1.4.18.

Sources

https://access.redhat.com/security/cve/cve-2017-2666

HTTP response splitting in Undertow - CVE-2017-2666

Detailed vulnerability description

How to mitigate CVE-2017-2666

Sources

Please verify you're human