CVE-2017-7559: Undertow vulnerable to Request Smuggling
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.7733%
CWE
Published
5/13/2022
Updated
1/29/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.undertow:undertow-core | maven | >= 1.4.0, < 1.4.17.Final | 1.4.17.Final |
io.undertow:undertow-core | maven | >= 1.3.0, < 1.3.31.Final | 1.3.31.Final |
io.undertow:undertow-core | maven | = 2.0.0.Alpha1 | 2.0.0.Alpha2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly cites improper handling of invalid characters in query strings and path parameters. These functions are core to HTTP
request parsing in Undertow
and align with the CWE-444
(HTTP Smuggling
) context. The JIRA issue UNDERTOW-1251
and patch versions confirm fixes in these areas. While exact commit details are unavailable, the functions' responsibilities match the vulnerability's technical root cause.