Headline
CVE-2021-20220: Possible regression in fix for CVE-2020-10687
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
Description Pedro Sampaio 2021-02-01 13:23:21 UTC
A regression issue reintroduced undertow’s CVE-2020-10687 after undertow 2.0.30.SP4.
Comment 9 errata-xmlrpc 2021-03-16 13:19:50 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885
Comment 10 errata-xmlrpc 2021-03-16 13:36:04 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873
Comment 11 errata-xmlrpc 2021-03-16 13:40:01 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874
Comment 12 errata-xmlrpc 2021-03-16 13:43:55 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872
Comment 13 Product Security DevOps Team 2021-03-16 19:20:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-20220
Comment 14 errata-xmlrpc 2021-03-23 14:18:26 UTC
This issue has been addressed in the following products:
Red Hat Single Sign-On 7.4.6
Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974
Comment 15 errata-xmlrpc 2021-06-02 14:23:46 UTC
This issue has been addressed in the following products:
Red Hat EAP-XP via EAP 7.3.x base
Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210
Comment 16 errata-xmlrpc 2021-07-15 15:25:48 UTC
This issue has been addressed in the following products:
Red Hat EAP-XP 2.0.0 via EAP 7.3.x base
Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755
Comment 17 Jonathan Christison 2021-08-10 13:36:26 UTC
Marking Red Hat Fuse 7 as not affected as a vulnerable version of undertow is not released, this vulnerability was not present in the versions of undertow distributed with Fuse (2.2.5 and 2.0.30SP4)