Vulnerability Description
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Undertow | < 2.0.34 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Oncommand Workflow Automation | - |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1923133Issue TrackingVendor Advisory
- https://security.netapp.com/advisory/ntap-20220210-0013/Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1923133Issue TrackingVendor Advisory
- https://security.netapp.com/advisory/ntap-20220210-0013/Third Party Advisory
FAQ
What is CVE-2021-20220?
CVE-2021-20220 is a vulnerability with a CVSS score of 4.8 (MEDIUM). A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid ch...
How severe is CVE-2021-20220?
CVE-2021-20220 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20220?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Netapp Active Iq Unified Manager, Netapp Oncommand Workflow Automation.