Home > Vulnerability Database > CVE-2018-1067

Mend.io Vulnerability Database

CVE-2018-1067

Good to know:

Date: May 21, 2018

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

Language: Java

Severity Score

6.1

Related Resources (9)

Url: https://access.redhat.com/errata/RHSA-2018:1248

Url: https://access.redhat.com/errata/RHSA-2018:1249

Url: https://access.redhat.com/errata/RHSA-2018:2643

Url: https://access.redhat.com/errata/RHSA-2019:0877

Url: https://access.redhat.com/errata/RHSA-2018:1247

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-1067

Url: https://access.redhat.com/errata/RHSA-2018:1251

Url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1067

Url: https://www.mend.io/vulnerability-database/CVE-2018-1067

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-113

Top Fix

Upgrade Version

Upgrade to version io.undertow:undertow-core:2.0.5.Final

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	5.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-1067

Good to know:

Date: May 21, 2018

Language: Java

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?