[UNDERTOW-1165] CVE-2017-7559 wildfly-undertow: undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666) [eap-7.1.0] - Red Hat Issue Tracker

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Done
Affects Version/s: None
Fix Version/s: 1.3.34.Final, 1.4.23.Final, 2.0.1.Final
Component/s: None
Labels:

Security Sensitive Issue:

This issue is security relevant

Description

Security Tracking Issue
Do not make this issue public.

NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.

Flaw:

EMBARGOED CVE-2017-7559 undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
https://bugzilla.redhat.com/show_bug.cgi?id=1481665

It was found that original patch for CVE-2017-2666 issue in undertow was incomplete and invalid characters are still allowed in the query string and path parameters.

Gliffy Diagrams

Attachments

Activity

People

Assignee:

Stuart Douglas

Reporter:

Stuart Douglas

Votes:

0 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

22/Aug/17 9:11 PM

Updated:

10/Jul/19 12:47 AM

Resolved:

01/Mar/18 7:26 PM