Medium severity6.5NVD Advisory· Published Jul 27, 2018· Updated Jun 17, 2026
CVE-2017-2666
CVE-2017-2666
Description
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | < 1.3.31 | 1.3.31 |
io.undertow:undertow-coreMaven | >= 1.4.0, < 1.4.17 | 1.4.17 |
Affected products
1Patches
Vulnerability mechanics
References
13- rhn.redhat.com/errata/RHSA-2017-1409.htmlnvdVendor Advisory
- www.securityfocus.com/bid/98966nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:1410nvdVendor Advisory
- access.redhat.com/errata/RHSA-2017:1411nvdVendor Advisory
- access.redhat.com/errata/RHSA-2017:1412nvdVendor Advisory
- access.redhat.com/errata/RHSA-2017:3454nvdVendor Advisory
- access.redhat.com/errata/RHSA-2017:3455nvdVendor Advisory
- access.redhat.com/errata/RHSA-2017:3456nvdVendor Advisory
- access.redhat.com/errata/RHSA-2017:3458nvdVendor Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory
- github.com/advisories/GHSA-mcfm-h73v-635mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-2666ghsaADVISORY
- www.debian.org/security/2017/dsa-3906nvdThird Party Advisory
News mentions
0No linked articles in our index yet.