CVE-2017-7559

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

References

Affected packages

Git / github.com/undertow-io/undertow

Affected ranges

Type

GIT

Repo

https://github.com/undertow-io/undertow

Events

Introduced

0b340d10071a6b73bb0b5412974fd342afbcd9ea

Fixed

ca20c31781dd721837775b92ad5783d742546e17

Introduced

967b5ecf796fe32afb9a131c7695f731b51303ca

Fixed

9353aa465ba960f0c363fd9d8a164e42c0bccafa

Introduced

Last affected

8947afcaa36dc1b8db3b355b9804893dc38a8abf

Database specific

{
    "versions": [
        {
            "introduced": "1.3.0"
        },
        {
            "fixed": "1.3.31"
        },
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "1.4.17"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.0-alpha1"
        }
    ]
}

Affected versions

1.*

1.3.0.Final

1.3.1.Final

1.3.2.Final

1.3.3.Final

2.*

2.0.0.Alpha1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7559.json"