QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-2666

Back to search

CVE-2017-2666

Published: Jul 27, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

6.5

MEDIUM

Description

It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

VendorProductVersions

[UNKNOWN]

undertow

affected
n/a

Weaknesses (CWE)

CWE-444

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

RHSA-2017:1411
vendor-advisory
x_refsource_REDHAT
RHSA-2017:1409
vendor-advisory
x_refsource_REDHAT
DSA-3906
vendor-advisory
x_refsource_DEBIAN
RHSA-2017:3458
vendor-advisory
x_refsource_REDHAT
RHSA-2017:1410
vendor-advisory
x_refsource_REDHAT
RHSA-2017:1412
vendor-advisory
x_refsource_REDHAT
RHSA-2017:3455
vendor-advisory
x_refsource_REDHAT
RHSA-2017:3456
vendor-advisory
x_refsource_REDHAT
98966
vdb-entry
x_refsource_BID
RHSA-2017:3454
vendor-advisory
x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now