In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
History

Fri, 23 Aug 2024 05:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-01-10T15:00:00Z

Updated: 2024-09-16T19:56:46.618Z

Reserved: 2017-04-05T00:00:00

Link: CVE-2017-7559

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-01-10T15:29:00.317

Modified: 2024-11-21T03:32:09.947

Link: CVE-2017-7559

cve-icon Redhat

Severity : Moderate

Publid Date: 2017-12-13T00:00:00Z

Links: CVE-2017-7559 - Bugzilla