Lucene search

K
ubuntucveUbuntu.comUB:CVE-2017-7559
HistoryJan 10, 2018 - 12:00 a.m.

CVE-2017-7559

2018-01-1000:00:00
ubuntu.com
ubuntu.com
15

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.006 Low

EPSS

Percentile

78.3%

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x
before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was
incomplete and invalid characters are still allowed in the query string and
path parameters. This could be exploited, in conjunction with a proxy that
also permitted the invalid characters but with a different interpretation,
to inject data into the HTTP response. By manipulating the HTTP response
the attacker could poison a web-cache, perform an XSS attack, or obtain
sensitive information from requests other than their own.

OSVersionArchitecturePackageVersionFilename
ubuntu24.04noarchundertow< anyUNKNOWN
ubuntu16.04noarchundertow< anyUNKNOWN

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.006 Low

EPSS

Percentile

78.3%