| Title | Undertow におけるHTTP レスポンス分割に関する脆弱性 |
|---|---|
| Summary | Undertow には、HTTP レスポンス分割に関する脆弱性が存在します。 本脆弱性は、CVE-2016-4993 に対する修正が不完全だったことに起因する問題です。 |
| Possible impacts | 情報を取得される、および情報を改ざんされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | April 25, 2018, midnight |
| Registration Date | July 12, 2018, 4:36 p.m. |
| Last Update | July 12, 2018, 4:36 p.m. |
| CVSS3.0 : 警告 | |
| Score | 6.1 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CVSS2.0 : 警告 | |
| Score | 5.8 |
|---|---|
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:N |
| レッドハット |
| JBoss Enterprise Application Platform |
| Undertow 7.1.2 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2018年07月12日] 掲載 | July 12, 2018, 11:56 a.m. |
| Summary | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value. |
|---|---|
| Publication Date | May 22, 2018, 2:29 a.m. |
| Registration Date | March 1, 2021, 6:43 p.m. |
| Last Update | Nov. 21, 2024, 12:59 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:* | 2.0.0 | 2.0.5 | |||
| cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:* | 1.4.25 | ||||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* | ||||
| 2 | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* | ||||
| Configuration3 | or higher | or less | more than | less than | |
| cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* | ||||