A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 10
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Redhat Build_Of_Apache_Camel_-_Hawtio
cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Build_Of_Apache_Camel_For_Spring_Boot
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Data_Grid
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Fuse
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform_Expansion_Pack
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
|
— | — |
|
Redhat Process_Automation
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Single_Sign-On
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Undertow
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
|
— | — |