N/A

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

N/A

HTTP请求的解释不一致性(HTTP请求私运)

Red Hat Undertow 安全漏洞

Red Hat Undertow是美国红帽（Red Hat）公司的一款基于Java的嵌入式Web服务器，是Wildfly（Java应用服务器）默认的Web服务器。 Red Hat Undertow中存在安全漏洞，该漏洞源于程序没有过滤查询字符串和路径参数中无效字符。攻击者可通过操作HTTP相响应利用该漏洞造成web缓存中毒，实施跨站脚本攻击，或获取其他用户请求中的敏感信息。以下版本受到影响：Undertow 2.0.0.Alpha2之前的2.x版本，1.4.17.Final之前的1.4.x版本，1.3.3

N/A

N/A