CVE-2017-12165 — HTTP Request Smuggling in Redhat Undertow

CWE-444 — HTTP Request Smuggling8 documents7 sources

Severity

7.5HIGHNVD

CNA2.6

EPSS

1.1%

top 21.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow RED HAT Undertow Redhat Jboss Enterprise Application Platform

Timeline

PublishedJul 27

Latest updateMay 13

Description

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDredhat/undertow1.0.0 — 1.3.31+2

▶Debianredhat/undertow< 2.0.23-1

▶CVEListV5red_hat/undertow1.3.31, 1.4.17, 2.0.0+2

▶NVDredhat/jboss_enterprise_application_platform7.0.0, 7.1.0+1

🔴Vulnerability Details

OSV

Undertow Request Smuggling vulnerability↗2022-05-13

▶

GHSA

Undertow Request Smuggling vulnerability↗2022-05-13

▶

CVEList

CVE-2017-12165: It was discovered that Undertow before 1↗2018-07-27

▶

OSV

CVE-2017-12165: It was discovered that Undertow before 1↗2018-07-27

▶

📋Vendor Advisories

Red Hat

undertow: improper whitespace parsing leading to potential HTTP request smuggling↗2017-12-13

▶

Debian

CVE-2017-12165: undertow - It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http r...↗2017

▶

💬Community

Bugzilla

CVE-2017-12165 undertow: improper whitespace parsing leading to potential HTTP request smuggling↗2017-09-11

▶