Vulnerability Description
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Undertow | - |
| Redhat | Jboss Enterprise Application Platform | 7.0.0 |
| Redhat | Enterprise Linux | 6.0 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2017-1409.htmlVendor Advisory
- http://www.securityfocus.com/bid/98966Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1410Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:1411Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:1412Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:3454Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:3455Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:3456Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:3458Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2666Issue TrackingVendor Advisory
- https://www.debian.org/security/2017/dsa-3906Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-1409.htmlVendor Advisory
- http://www.securityfocus.com/bid/98966Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1410Vendor Advisory
- https://access.redhat.com/errata/RHSA-2017:1411Vendor Advisory
FAQ
What is CVE-2017-2666?
CVE-2017-2666 is a vulnerability with a CVSS score of 6.5 (MEDIUM). It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid charact...
How severe is CVE-2017-2666?
CVE-2017-2666 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2666?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Debian Debian Linux.