Lucene search

K
githubGitHub Advisory DatabaseGHSA-MCFM-H73V-635M
HistoryOct 19, 2018 - 4:55 p.m.

Undertow-core vulnerable to HTTP Request Smuggling

2018-10-1916:55:14
CWE-444
GitHub Advisory Database
github.com
23

0.006 Low

EPSS

Percentile

78.2%

It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.