Bug#900323: undertow: CVE-2018-1067: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
Salvatore Bonaccorso
carnil at debian.org
Tue May 29 06:15:33 BST 2018
Source: undertow
Version: 1.4.3-1
Severity: important
Tags: security upstream
Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302
Hi,
The following vulnerability was published for undertow, the original
CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix
available at the time of writing.
CVE-2018-1067[0]:
| In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the
| fix for CVE-2016-4993 was incomplete and Undertow web server is
| vulnerable to the injection of arbitrary HTTP headers, and also
| response splitting, due to insufficient sanitization and validation of
| user input before the input is used as part of an HTTP header value.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1067
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1067
[1] https://issues.jboss.org/browse/UNDERTOW-1302
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list