A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 11
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Redhat Build_Of_Apache_Camel_-_Hawtio
cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:4.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Build_Of_Apache_Camel_For_Spring_Boot
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:4.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Data_Grid
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Fuse
cpe:2.3:a:redhat:fuse:7.0.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Jboss_Enterprise_Application_Platform_Expansion_Pack
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
|
— | — |
|
Redhat Process_Automation
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Single_Sign-On
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
|
— | — |
|
Redhat Undertow
cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*
|
— | — |
|
Redhat Enterprise_Linux
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
|
— | — |