Description

It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

Remediation

References

CVE-2017-2666

Related Vulnerabilities

Oracle Database Server CVE-2006-0265 Vulnerability (CVE-2006-0265)

OpenSSL Other Vulnerability (CVE-2006-7250)

MySQL CVE-2017-10314 Vulnerability (CVE-2017-10314)

PHP Numeric Errors Vulnerability (CVE-2010-4699)

WordPress Plugin Google XML Sitemap for Videos Cross-Site Request Forgery (2.6.1)

Severity

Medium

Classification

CVE-2017-2666 CWE-444 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities