CVE-2017-12165

LOW

Undertow <1.4.17, <1.3.31, <2.0.0 - HTTP Request Smuggling

Title source: llm

Description

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2017-12165-undertow-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2017-12165-undertow-vulnerable

View Code ZIP pw:eip

References (10)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3454

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3455

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3456

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3458

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0002

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0003

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0004

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0005

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:1322

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12165

Scores

CVSS v3 2.6

EPSS 0.0110

EPSS Percentile 78.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-444

Status published

Products (5)

io.undertow/undertow-core 0 - 1.3.31Maven

redhat/jboss_enterprise_application_platform 7.0.0

redhat/jboss_enterprise_application_platform 7.1.0

redhat/undertow 2.0.0 alpha_1

redhat/undertow 1.0.0 - 1.3.31

Published Jul 27, 2018

Tracked Since Feb 18, 2026