CVE-2018-12537
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-12537
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12537.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-12537
- Aliases
- Published
- 2018-08-14T19:29:00.247Z
- Modified
- 2025-11-28T12:03:03.710974Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
- References
-
- https://access.redhat.com/errata/RHSA-2018:2371
- https://access.redhat.com/errata/RHSA-2018:3768
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038
- https://bugzilla.redhat.com/show_bug.cgi?id=1591072
- https://github.com/eclipse/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72
- https://github.com/eclipse/vert.x/issues/2470
- https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-021_vertx.txt
Affected packages
Git / github.com/eclipse-vertx/vert.x
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse-vertx/vert.x
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.0.0
3.0.0-dev_preview1
3.0.0-milestone2
3.0.0-milestone3
3.0.0-milestone4
3.0.0-milestone5
3.0.0-milestone6
3.1.0
3.2.0
3.2.1
3.3.0
3.3.0.CR2
3.3.1
3.3.2
3.3.3
3.4.0
3.4.0.Beta1
3.4.1
3.4.2
3.5.0
3.5.0.Beta1
3.5.1
Other
Eclipse_Initial_Contribution_2
v2.*
v2.0.1-final
v2.1M1
v2.1M2
v2.1M3
v2.1M4
v2.1M5
v2.1RC1
v2.1RC2
v2.1RC3
Database specific
vanir_signatures
[
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"57545554335411221973462514285013218595",
"55296655994092639714374566180213378941",
"48199002129848850546758651231606757641",
"126941692403848337768564573996481948552",
"83502336749862031472896407160906239676",
"77757177303059874738665987482428810868",
"109911205146242551377618947009905811655",
"194074069547022484201167669738736267526",
"221232345031720195377200068825749569265",
"321425409897480889110487943243850079492",
"92637773342328112592602925632669371273",
"27883444568898093642032205132120573850",
"315020484513895644358765726400581320632",
"154007764453582972492849227511780048657",
"107340487283900364029664930441048117374",
"82937787117461178771132832140993909973",
"149998840645848653323934714452671469000",
"160987349953502343445909498130681285232",
"226822412037087094708752246955886789598",
"315174741917462781619301955645139355386",
"222033901384058315782293996236037670630",
"310198387901025689011575372841375919939",
"83502336749862031472896407160906239676",
"162554518027446563808612559487932132940",
"334483219074968699533886645350294713872",
"76208012096538708374782154244113113796",
"316217501280282772027660092798431813327",
"97322393316463128711212908815849074509",
"211070458187764585590028030069542191908",
"302304984921590692853490576212158212691",
"45424468191393373630518072432493652761",
"227477079543583100685084918704110616211",
"154007764453582972492849227511780048657",
"121611708605030653443732110458575182761",
"278933557479304025630810755062634817142",
"155696318655970303263051048933181590882",
"132181650540695696139844723078980989598"
]
},
"id": "CVE-2018-12537-190149ab",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "add"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-332044a2",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/HttpHeaders.java",
"function": "createOptimized"
},
"digest": {
"length": 114.0,
"function_hash": "159712140542102793247051007797151438562"
},
"id": "CVE-2018-12537-594eccbb",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/headers/VertxHttpHeaders.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"239138673549631658924463845547824024150",
"137956713581991535520388209932908984226",
"317308594046313989692878041962939909177",
"168223954379922759968678450760788726060",
"69942618185439469084112780986244484467",
"318522339036683648669654163524213565412",
"57575465795822096718893678103356567210",
"259828411543536237846017481122751063335",
"254299601423768512324252031610667907363",
"275049381984271659089501623630127406361",
"116160178353894090831999668745581631153",
"158239331823006933525619204394488330449",
"324615712705031958730268976222271650130",
"68003488749247958612136565323190392234",
"224416851614008298064066794257613686231"
]
},
"id": "CVE-2018-12537-67e464b1",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "add"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-6feb096b",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/HttpHeaders.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"292087609354774151195630688827596681270",
"326622022292590279509380798862882966352",
"127570336952451704530287605330630914806",
"334025012467135033924345202171310501895",
"317108894043093843539005398123999783614"
]
},
"id": "CVE-2018-12537-72a8bd2e",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2ServerResponseImpl.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"192237731455296701190301590859110263644",
"39400502237364686889385891144999733203",
"264985522842575340974865797194048708354",
"175907225525515889988281558083254093465",
"39271311151153674911280875054249590787",
"25649990894148188181806246815307036162",
"319780715214618183713346168464160055903",
"30625939176344970271529091174239017083"
]
},
"id": "CVE-2018-12537-81cfc928",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "set"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-85393f56",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "add"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-9127ceb3",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/test/java/io/vertx/test/core/HttpTest.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"222114278104719120125155138661532619573",
"148969131513510319763253375849282850799",
"213193008475294207075905595828908866372",
"22382159681978471364808851742606998991",
"85958434038394528563344181650085846055",
"26522542109507082865052976779922823963",
"194259738617360768765063980813138924601",
"272137650468528637517153627833927544386",
"269041750021865747387431311366294927871",
"286862004043988385742678833982489142999",
"43148387750466002978329764155443170854",
"43106488797191129187615374703087294378",
"47395421184885394110023586279436228332",
"261648743528917803562975679983928096437",
"291343332438589508272958422896497081119",
"98141671212005779441806108328570023543",
"164304949391383788113832409199786950355",
"19840335427719679679630946325939585217",
"14608622566693810870747078557453859787",
"242552941518224108318336312870509912610"
]
},
"id": "CVE-2018-12537-9385d497",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "set"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-99c1be7c",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/test/java/io/vertx/test/core/VertxHttpHeadersTest.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"40398206223743604849115917332068825509",
"278618167477620426356179037699214860980",
"21843082814469784985054459605561830146",
"235204609414970758147677159738695430536",
"127864151243601219562919500152580037140"
]
},
"id": "CVE-2018-12537-b3290f67",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/HttpClientRequestImpl.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"94315945458094188087583086204517861184",
"330547325211586650312165246800917871275",
"1780603003372482271169710045596528822",
"82744637215956477003063600298739059257",
"90998692765365387215208204185217411618",
"230394783010607106774477330023159616398",
"228903727990658366060853240871606993684",
"298630574028928162403666935452478579257",
"96787669891088668929711953911127619664",
"93213151833659385546601124775696752963",
"135322387341633563009064072371353054728",
"92051353494066135526437478016100761722",
"68516374425977976989262157991041870714",
"299101285005238754615437875543564427077",
"288528749281399942870822158433572168713",
"223853887053757473846101484613946954682",
"131345788685865763239008110433580729135",
"268575529957161649949214927751231081451"
]
},
"id": "CVE-2018-12537-b7ef643a",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "set"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-c0387272",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/headers/VertxHttpHeaders.java",
"function": "add0"
},
"digest": {
"length": 241.0,
"function_hash": "279179794026147382236249185704454360061"
},
"id": "CVE-2018-12537-cdfca006",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "add"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-e3186696",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/HttpUtils.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"64534702386714784211515321778673672240",
"115651604339229915079068895470132096544"
]
},
"id": "CVE-2018-12537-f6f4c152",
"signature_type": "Line",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "src/main/java/io/vertx/core/http/impl/Http2HeadersAdaptor.java",
"function": "set"
},
"digest": {
"length": 114.0,
"function_hash": "34849690609302339086045299469681047122"
},
"id": "CVE-2018-12537-fbafacf7",
"signature_type": "Function",
"source": "https://github.com/eclipse-vertx/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72",
"signature_version": "v1"
}
]
Git / github.com/vert-x3/vertx-web
Affected versions
3.*
3.0.0
3.1.0
3.2.0
3.2.1
3.3.0
3.3.0.CR2
3.3.1
3.3.2
3.3.3
3.4.0
3.4.0.Beta1
3.4.1
3.4.2
3.5.0
3.5.0.Beta1
3.5.1
3.5.2
3.5.2.CR1
3.5.2.CR2
3.5.2.CR3
3.5.3
3.5.3.CR1
3.5.4
3.6.0
3.6.0.CR1
3.6.0.CR2
3.6.1
3.6.2
3.6.3
3.7.0
3.7.1
3.8.0
3.8.1
3.8.2
3.8.3
3.8.3-01
3.8.4
3.8.5
3.9.0
3.9.1
3.9.10
3.9.11
3.9.12
3.9.13
3.9.14
3.9.15
3.9.16
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
3.9.7
3.9.8
3.9.9
4.*
4.0.0
4.0.0-milestone1
4.0.0-milestone2
4.0.0-milestone4
4.0.0-milestone5
4.0.0.Beta1
4.0.0.Beta2
4.0.0.Beta3
4.0.0.CR1
4.0.0.CR2
4.0.1
4.0.2
4.0.3
4.1.0
4.1.0.Beta1
4.1.0.CR1
4.1.0.CR2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2.0
4.2.0.Beta1
4.2.0.CR1
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.5.0
4.5.1
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.5.15
4.5.16
4.5.17
4.5.18
4.5.19
4.5.2
4.5.20
4.5.21
4.5.22
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
5.*
5.0.0
5.0.0.CR1
5.0.0.CR2
5.0.0.CR3
5.0.0.CR4
5.0.0.CR6
5.0.0.CR7
5.0.0.CR8
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5