-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability stems from Undertow's cookie parser failing to properly terminate parsing of quoted values when encountering delimiter characters. The GitHub patch modifies parseCookie to reset parsing state upon encountering ';' or ',' (when commaIsSeperator=true), which prevents delimiter-based injection. The added test case 'testNoDoubleQuoteTermination' explicitly validates this fix by demonstrating improper cookie splitting without the patch. The vulnerable logic resided in the state machine of the parseCookie method, which previously allowed parsing continuation after unescaped delimiters in quoted values.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.undertow:undertow-core | maven | >= 2.3.0.Alpha1, < 2.3.11.Final | 2.3.11.Final |
| io.undertow:undertow-core | maven | < 2.2.30.Final | 2.2.30.Final |
KEV Misses 88% of Exploited CVEs- Get the report