CVE-2021-20220

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-20220
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20220.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-20220
Aliases
Downstream
Published
2021-02-23T18:15:13.397Z
Modified
2026-02-13T02:14:16.653516Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.

References

Affected packages

Git / github.com/undertow-io/undertow

Affected ranges

Type
GIT
Repo
https://github.com/undertow-io/undertow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ff072c6feeb9315d6fd743345890d6de2a2e5423
Introduced
2291c7c07dc5bccf3b45c4db3a1b63123b8ce484
Fixed
152200bce7942e6747d79b4658c56c0ab15ac472

Affected versions

2.*
2.1.0.Final
2.1.1.Final
2.1.2.Final
2.1.3.Final
2.1.4.Final
2.1.5.Final

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20220.json"