In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
{ "nvd_published_at": "2018-01-10T15:29:00Z", "github_reviewed_at": "2022-11-08T12:48:58Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-444" ] }