CVE-2017-7559

moderate-risk

Published 2018-01-10

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

Do I need to act?

1.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Undertow

Affected Vendors

Redhat

References (22)

Vendor Advisory https://access.redhat.com/errata/RHSA-2017:3454

Vendor Advisory https://access.redhat.com/errata/RHSA-2017:3455

Vendor Advisory https://access.redhat.com/errata/RHSA-2017:3456

Vendor Advisory https://access.redhat.com/errata/RHSA-2017:3458

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:0002

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:0003

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:0004

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:0005

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1322

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7559

Issue Tracking https://issues.jboss.org/browse/UNDERTOW-1251