Miggo Logo

CVE-2017-7559: Undertow vulnerable to Request Smuggling

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.7733%
Published
5/13/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.undertow:undertow-coremaven>= 1.4.0, < 1.4.17.Final1.4.17.Final
io.undertow:undertow-coremaven>= 1.3.0, < 1.3.31.Final1.3.31.Final
io.undertow:undertow-coremaven= 2.0.0.Alpha12.0.0.Alpha2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly cites improper handling of invalid characters in query strings and path parameters. These functions are core to HTTP request parsing in Undertow and align with the CWE-444 (HTTP Smuggling) context. The JIRA issue UNDERTOW-1251 and patch versions confirm fixes in these areas. While exact commit details are unavailable, the functions' responsibilities match the vulnerability's technical root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Un**rtow *.x ***or* *.*.*.*lp***, *.*.x ***or* *.*.**.*in*l, *n* *.*.x ***or* *.*.**.*in*l, it w*s *oun* t**t t** *ix *or *V*-****-**** w*s in*ompl*t* *n* inv*li* ***r**t*rs *r* still *llow** in t** qu*ry strin* *n* p*t* p*r*m*t*rs. T*is *oul* **

Reasoning

T** vuln*r**ility **s*ription *xpli*itly *it*s improp*r **n*lin* o* inv*li* ***r**t*rs in qu*ry strin*s *n* p*t* p*r*m*t*rs. T**s* *un*tions *r* *or* to `*TTP` r*qu*st p*rsin* in `Un**rtow` *n* *li*n wit* t** `*W*-***` (`*TTP Smu**lin*`) *ont*xt. T**