Main Vulnerability Database Vulnerabilities #VU7548

#VU7548 HTTP response splitting in Undertow - CVE-2017-2666

Published: July 17, 2017

Vulnerability identifier: #VU7548

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-2666

CWE-ID: CWE-113

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Undertow

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote attacker to perform a phishing attack

The vulnerability exists due to an error when processing headers in HTTP requests in Undertow. A remote attacker can create a specially crafted HTTP request, split the HTTP response from server and poison the web cache.

Successful exploitation of the vulnerability may allow an attacker to poison web cache and perform phishing or XSS attacks against website visitors.

Remediation

Update to version 1.4.18.

External links

https://access.redhat.com/security/cve/cve-2017-2666