CVE-2017-12165 — LOW (2.6) — White Hats Nepal

Q: What is CVE-2017-12165?

CVE-2017-12165 is a vulnerability with a CVSS score of 2.6 (LOW). It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

Q: How severe is CVE-2017-12165?

CVE-2017-12165 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-12165?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Jboss Enterprise Application Platform.

Vulnerability Description

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

CVSS Score

2.6

LOW

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Undertow	>= 1.0.0, < 1.3.31
Redhat	Jboss Enterprise Application Platform	7.0.0

Related Weaknesses (CWE)

CWE-444

References

https://access.redhat.com/errata/RHSA-2017:3454Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3455Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3456Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3458Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0002Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0003Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0004Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0005Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1322Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12165Issue TrackingVendor Advisory
https://access.redhat.com/errata/RHSA-2017:3454Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3455Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3456Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:3458Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0002Vendor Advisory

FAQ

What is CVE-2017-12165?

CVE-2017-12165 is a vulnerability with a CVSS score of 2.6 (LOW). It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

How severe is CVE-2017-12165?

CVE-2017-12165 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-12165?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Jboss Enterprise Application Platform.