CVE-2018-1067 — MEDIUM (6.1)

Q: How severe is CVE-2018-1067?

CVE-2018-1067 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1067?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Redhat Virtualization Host.

Vulnerability Description

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Undertow	< 1.4.25
Redhat	Jboss Enterprise Application Platform	7.1
Redhat	Enterprise Linux	6.0
Redhat	Virtualization Host	4.0

Related Weaknesses (CWE)

CWE-113

References

https://access.redhat.com/errata/RHSA-2018:1247Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1248Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1249Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1251Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2643Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:0877Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1067Issue TrackingVendor Advisory
https://access.redhat.com/errata/RHSA-2018:1247Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1248Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1249Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1251Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2643Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:0877Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1067Issue TrackingVendor Advisory

FAQ

What is CVE-2018-1067?

CVE-2018-1067 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also re...

How severe is CVE-2018-1067?

CVE-2018-1067 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1067?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux, Redhat Virtualization Host.