Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFqd2Mtdjcydi1mcTZy
HTTP request smuggling in Undertow
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
Permalink: https://github.com/advisories/GHSA-qjwc-v72v-fq6rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFqd2Mtdjcydi1mcTZy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-qjwc-v72v-fq6r, CVE-2021-20220
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-20220
- https://github.com/undertow-io/undertow/commit/9e797b2f99617fdad0471eaa88c711ee7f44605f
- https://bugzilla.redhat.com/show_bug.cgi?id=1923133
- https://security.netapp.com/advisory/ntap-20220210-0013/
- https://github.com/advisories/GHSA-qjwc-v72v-fq6r
Blast Radius: 17.9
Affected Packages
maven:io.undertow:undertow-core
Dependent packages: 912Dependent repositories: 5,259
Downloads:
Affected Version Ranges: < 2.0.34, >= 2.1.0, < 2.1.6
Fixed in: 2.0.34, 2.1.6
All affected versions:
All unaffected versions: