Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1251

CVE-2017-2666 wildfly-undertow: undertow: HTTP Request smuggling vulnerability due to permitting invalid characters in HTTP requests [eap-7.0.5]

    XMLWordPrintable

Details

    Description

      Security Tracking Issue
      Do not make this issue public.

      NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.

      Flaw:

      EMBARGOED CVE-2017-2666 undertow: HTTP Request smuggling vulnerability due to permitting invalid characters in HTTP requests
      https://bugzilla.redhat.com/show_bug.cgi?id=1436163

      It was found that code that parsed the HTTP request line in undertow permitted invalid characters which results into HTTP request smuggling vulnerability.

      Attachments

        Activity

          Public project attachment banner

            context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
            current Project key: UNDERTOW

            People

              sdouglas1@redhat.com Stuart Douglas
              sdouglas1@redhat.com Stuart Douglas
              Jiří Truhlář (Inactive), Michael Cada, Panagiotis Sotiropoulos, Tomas Hofman
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: