A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1923133 | Issue Tracking Vendor Advisory |
https://security.netapp.com/advisory/ntap-20220210-0013/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Information
Published : 2021-02-23 10:15
Updated : 2022-02-22 06:53
NVD link : CVE-2021-20220
Mitre link : CVE-2021-20220
JSON object : View
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Products Affected
netapp
- oncommand_workflow_automation
- active_iq_unified_manager
redhat
- undertow