CVE-2020-1710Injection in Redhat Jboss Enterprise Application Platform

CWE-74InjectionCWE-113HTTP Request/Response Splitting6 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 52.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Jboss Enterprise Application PlatformRedhat Jboss Data Grid
Timeline
PublishedSep 16
Latest updateMay 24

Description

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

🔴Vulnerability Details

2
GHSA
GHSA-xqwp-g97m-cxpr: The issue appears to be that JBoss EAP 62022-05-24
CVEList
CVE-2020-1710: The issue appears to be that JBoss EAP 62020-09-16

📋Vendor Advisories

1
Red Hat
EAP: field-name is not parsed in accordance to RFC72302020-08-06

💬Community

2
Bugzilla
CVE-2020-2109 jenkins-pipeline-groovy-plugin: sandbox protection bypass through default parameter expressions in CPS-transformed methods2020-03-31
Bugzilla
CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC72302020-01-22