A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1923133 | Issue Tracking Vendor Advisory |
https://security.netapp.com/advisory/ntap-20220210-0013/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
22 Feb 2022, 14:53
Type | Values Removed | Values Added |
---|---|---|
First Time |
Netapp
Netapp active Iq Unified Manager Netapp oncommand Workflow Automation |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20220210-0013/ - Third Party Advisory | |
CPE | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* |
10 Feb 2022, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Mar 2021, 21:18
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 5.8
v3 : 4.8 |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1923133 - Issue Tracking, Vendor Advisory | |
CPE | cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:* |
23 Feb 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-02-23 18:15
Updated : 2023-12-10 13:41
NVD link : CVE-2021-20220
Mitre link : CVE-2021-20220
CVE.ORG link : CVE-2021-20220
JSON object : View
Products Affected
netapp
- active_iq_unified_manager
- oncommand_workflow_automation
redhat
- undertow
CWE
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')