{ "threat_severity" : "Moderate", "public_date" : "2021-02-04T00:00:00Z", "bugzilla" : { "description" : "undertow: Possible regression in fix for CVE-2020-10687", "id" : "1923133", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1923133" }, "cvss3" : { "cvss3_base_score" : "4.8", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-444", "details" : [ "A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.", "A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity." ], "affected_release" : [ { "product_name" : "Red Hat EAP-XP 2.0.0 via EAP 7.3.x base", "release_date" : "2021-07-15T00:00:00Z", "advisory" : "RHSA-2021:2755", "cpe" : "cpe:/a:redhat:jbosseapxp", "package" : "wildfly-undertow" }, { "product_name" : "Red Hat EAP-XP via EAP 7.3.x base", "release_date" : "2021-06-02T00:00:00Z", "advisory" : "RHSA-2021:2210", "cpe" : "cpe:/a:redhat:jbosseapxp", "package" : "wildfly-undertow" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0885", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "package" : "wildfly-undertow" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-activemq-artemis-0:2.9.0-9.redhat_00019.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-bouncycastle-0:1.68.0-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-guava-failureaccess-0:1.0.1-1.redhat_00002.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-guava-libraries-0:30.1.0-1.redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-hal-console-0:3.2.13-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-ironjacamar-0:1.4.27-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jboss-ejb-client-0:4.0.39-1.SP1_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jboss-logmanager-0:2.1.18-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jboss-remoting-0:5.0.20-2.SP1_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-jboss-server-migration-0:1.7.2-5.Final_redhat_00006.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-narayana-0:5.9.11-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-undertow-0:2.0.34-1.SP1_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-wildfly-0:7.3.6-1.GA_redhat_00002.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-wildfly-elytron-0:1.10.11-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-wildfly-http-client-0:1.0.25-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0872", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package" : "eap7-wildfly-naming-client-0:1.0.14-1.Final_redhat_00001.1.el6eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-activemq-artemis-0:2.9.0-9.redhat_00019.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-bouncycastle-0:1.68.0-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-guava-failureaccess-0:1.0.1-1.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-guava-libraries-0:30.1.0-1.redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-hal-console-0:3.2.13-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-ironjacamar-0:1.4.27-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jboss-ejb-client-0:4.0.39-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jboss-logmanager-0:2.1.18-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jboss-remoting-0:5.0.20-2.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-jboss-server-migration-0:1.7.2-5.Final_redhat_00006.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-narayana-0:5.9.11-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-undertow-0:2.0.34-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-wildfly-0:7.3.6-1.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-wildfly-elytron-0:1.10.11-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-wildfly-http-client-0:1.0.25-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0873", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package" : "eap7-wildfly-naming-client-0:1.0.14-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-activemq-artemis-0:2.9.0-9.redhat_00019.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-bouncycastle-0:1.68.0-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-guava-failureaccess-0:1.0.1-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-guava-libraries-0:30.1.0-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-hal-console-0:3.2.13-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-ironjacamar-0:1.4.27-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jboss-ejb-client-0:4.0.39-1.SP1_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jboss-logmanager-0:2.1.18-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jboss-remoting-0:5.0.20-2.SP1_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-jboss-server-migration-0:1.7.2-5.Final_redhat_00006.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-narayana-0:5.9.11-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-undertow-0:2.0.34-1.SP1_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-wildfly-0:7.3.6-1.GA_redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-wildfly-elytron-0:1.10.11-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-wildfly-http-client-0:1.0.25-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0874", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package" : "eap7-wildfly-naming-client-0:1.0.14-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat Single Sign-On 7.4.6", "release_date" : "2021-03-23T00:00:00Z", "advisory" : "RHSA-2021:0974", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7", "package" : "wildfly-undertow" } ], "package_state" : [ { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "wildfly-undertow", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "wildfly-undertow", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "wildfly-undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20220\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20220" ], "name" : "CVE-2021-20220", "csaw" : false }