GHSA-47mp-rq2x-wjf2

Suggest an improvement
Source
https://github.com/advisories/GHSA-47mp-rq2x-wjf2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-47mp-rq2x-wjf2/GHSA-47mp-rq2x-wjf2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-47mp-rq2x-wjf2
Aliases
Published
2022-05-13T01:14:41Z
Modified
2023-11-01T04:48:43.557214Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow
Details

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

Database specific
{
    "nvd_published_at": "2018-05-21T17:29:00Z",
    "github_reviewed_at": "2022-06-30T13:49:55Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-113"
    ]
}
References

Affected packages

Maven / org.jboss.eap:wildfly-undertow

Package

Name
org.jboss.eap:wildfly-undertow
View open source insights on deps.dev
Purl
pkg:maven/org.jboss.eap/wildfly-undertow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.1.2.GA

Database specific

{
    "last_known_affected_version_range": "<= 7.1.1.GA"
}