| Vulnerability Name: | CVE-2021-20220 (CCN-197300) | ||||||||||||
| Assigned: | 2020-12-17 | ||||||||||||
| Published: | 2021-02-18 | ||||||||||||
| Updated: | 2022-02-22 | ||||||||||||
| Summary: | A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity. | ||||||||||||
| CVSS v3 Severity: | 4.8 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) 4.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:U/RC:R)
4.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:U/RC:R)
| ||||||||||||
| CVSS v2 Severity: | 5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-444 CWE-444 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-20220 Source: CCN Type: Red Hat Bugzilla - Bug 1923133 (CVE-2021-20220) - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687 Source: MISC Type: Issue Tracking, Vendor Advisory https://bugzilla.redhat.com/show_bug.cgi?id=1923133 Source: XF Type: UNKNOWN undertow-cve202120220-request-smuggling(197300) Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20220210-0013/ Source: CCN Type: Undertow Web site Undertow Source: CCN Type: WhiteSource Vulnerability Database CVE-2021-20220 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||