CVE-2017-12165

Description

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2018:1322	vendor advisory
https://access.redhat.com/errata/RHSA-2018:0002	vendor advisory
https://access.redhat.com/errata/RHSA-2017:3458	vendor advisory
https://access.redhat.com/errata/RHSA-2018:0004	vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12165	issue tracking vendor advisory
https://access.redhat.com/errata/RHSA-2017:3455	vendor advisory
https://access.redhat.com/errata/RHSA-2017:3456	vendor advisory
https://access.redhat.com/errata/RHSA-2018:0003	vendor advisory
https://access.redhat.com/errata/RHSA-2018:0005	vendor advisory
https://access.redhat.com/errata/RHSA-2017:3454	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2017-12165?: CVE-2017-12165 has been scored as a low severity vulnerability.
How to fix CVE-2017-12165?: To fix CVE-2017-12165, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-12165 being actively exploited in the wild?: It is possible that CVE-2017-12165 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2017-12165?: CVE-2017-12165 affects Red Hat undertow.

Description

Category

CWE-444 – Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

References

Frequently Asked Questions