CVE-2018-12537 — MEDIUM (5.3)

Q: How severe is CVE-2018-12537?

CVE-2018-12537 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-12537?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Vert.X.

Vulnerability Description

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Eclipse	Vert.X	>= 3.0.0, <= 3.5.1

Related Weaknesses (CWE)

CWE-20 CWE-93

References

https://access.redhat.com/errata/RHSA-2018:2371Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3768Third Party Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038Issue TrackingThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1591072Issue TrackingThird Party Advisory
https://github.com/eclipse/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab7Third Party Advisory
https://github.com/eclipse/vert.x/issues/2470Third Party Advisory
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2371Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3768Third Party Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038Issue TrackingThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1591072Issue TrackingThird Party Advisory
https://github.com/eclipse/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab7Third Party Advisory
https://github.com/eclipse/vert.x/issues/2470Third Party Advisory
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-Third Party Advisory

FAQ

What is CVE-2018-12537?

CVE-2018-12537 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfilter...

How severe is CVE-2018-12537?

CVE-2018-12537 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12537?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Vert.X.