Headline
RHSA-2023:1663: Red Hat Security Advisory: Red Hat JBoss Web Server 5.7.2 release and security update
An update is now available for Red Hat JBoss Web Server 5.7.2 on Red Hat Enterprise Linux versions 7, 8, and 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-42252: A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack.
- CVE-2022-45143: A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-04-12
Updated:
2023-04-12
RHSA-2023:1663 - Security Advisory
- Overview
- Updated Packages
Synopsis
Low: Red Hat JBoss Web Server 5.7.2 release and security update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat JBoss Web Server 5.7.2 on Red Hat Enterprise Linux versions 7, 8, and 9.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.7.2 serves as a replacement for Red Hat JBoss Web Server 5.7.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Security Fix(es):
- jws5-tomcat: tomcat: request smuggling (CVE-2022-42252)
- jws5-tomcat: tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- JBoss Enterprise Web Server 5 for RHEL 9 x86_64
- JBoss Enterprise Web Server 5 for RHEL 8 x86_64
- JBoss Enterprise Web Server 5 for RHEL 7 x86_64
Fixes
- BZ - 2141329 - CVE-2022-42252 tomcat: request smuggling
- BZ - 2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection
JBoss Enterprise Web Server 5 for RHEL 9
SRPM
jws5-tomcat-9.0.62-13.redhat_00011.1.el9jws.src.rpm
SHA-256: af6ea4ebfa27a91a0d9809dfa57e7f79a293303ec1f6bcadf1d505cb3e9d10e2
x86_64
jws5-tomcat-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: 93d7a91112924d1d7b09b5bdfe77ce0caa6b9d327a641e1cbb991f4181b62278
jws5-tomcat-admin-webapps-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: 31cfa037ee32f3a634343e999ce15722ae21325cc83b8e9ef7720cf78c8335e2
jws5-tomcat-docs-webapp-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: 1bad87e0c61532b4b1323c9cc589173e6bbc3e5b4f41d218d39a0498b7d68b71
jws5-tomcat-el-3.0-api-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: b4680eb7d6c37537c0598d8606ce6d0e1a1770ffd87600fd7c2f45cfa03e09a9
jws5-tomcat-javadoc-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: 9f6c7c18175df1b584bd3b696a3bc882c6a29db12c2ec5db18fbfb304390125e
jws5-tomcat-jsp-2.3-api-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: 22a46fa5a4b6295e86a8e5ff8d392603f8b2a8b021855d3867f60c9699e33ec7
jws5-tomcat-lib-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: b1bc57967769f7e7bc555628c65e74f6ddd91fd6a4f0451ad72de8cbcbda40fe
jws5-tomcat-selinux-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: 220a470c979f284fe351d45be85dbef4ab9037f1b367542288761e2fd7ab6cfe
jws5-tomcat-servlet-4.0-api-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: 24b15e684f43a0b1e6d352a4da9d3bee43d09f09583f59a1ec7b0d59300e6796
jws5-tomcat-webapps-9.0.62-13.redhat_00011.1.el9jws.noarch.rpm
SHA-256: bb0c33b5e165537e988b3738546d3430f84992f305f01cfa1683d568148109cf
JBoss Enterprise Web Server 5 for RHEL 8
SRPM
jws5-tomcat-9.0.62-13.redhat_00011.1.el8jws.src.rpm
SHA-256: 235f67e0379bba69020d3fa10372bbb794705abdc1660135411f13c696f89b3b
x86_64
jws5-tomcat-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 694df91b6e5381c3b4b963e85503373fc04d549f72de3d9b8acbcacf0efd3b84
jws5-tomcat-admin-webapps-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 1ae989d68bd97440a7009bf7e388422378779af7d71467a557c89701be5819a2
jws5-tomcat-docs-webapp-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 56f4b72b3ae08759b41736ad1a951fb7ab34c8c73b51f6d92be8b86961b6258a
jws5-tomcat-el-3.0-api-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 9cb3659fcde4747451cb22ea73e9fc423f96979a0915d23a45c732b067c1c353
jws5-tomcat-javadoc-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: f6c69d42553bceea796d4adfe77472455ff529e4a957e7aa8401375941c38ccd
jws5-tomcat-jsp-2.3-api-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 381af12afc3e78367a60931170806a1fd3a160ff80b2438e02b911f3c9fcd6e4
jws5-tomcat-lib-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 9419355355cee82359f80304c65a4d3a9ccf9440ae3da14a1b164ff5ee5946c1
jws5-tomcat-selinux-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: e1b36fa3f9431d6d2ee32c32a22ad0730af1706f7978e844a26cea84f7088a65
jws5-tomcat-servlet-4.0-api-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 4ad11f33ff15416659f5bb9f089c00011b0faa1fc13617356e6e70fff4d03089
jws5-tomcat-webapps-9.0.62-13.redhat_00011.1.el8jws.noarch.rpm
SHA-256: 059956fe03363220f745455a9773ad6e043a9fc3d652ae606ccc4c7ad4ae8a5a
JBoss Enterprise Web Server 5 for RHEL 7
SRPM
jws5-tomcat-9.0.62-13.redhat_00011.1.el7jws.src.rpm
SHA-256: 36d3d1b59597a76e27ce09097d1d261f95f8b416e7246db18289e9133b3e0138
x86_64
jws5-tomcat-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 004029f7b3af550f58a72dee937fa332b0651ab9c979286b588232b150d29d4c
jws5-tomcat-admin-webapps-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 85fef3037f7d50687a753bab47c4d437611b8344a70d29c334aeb221a2b6b8bb
jws5-tomcat-docs-webapp-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 3eb16d0cf3c8907dede07e4dba3b8da06bddfa800c6827494007ae54634e3e38
jws5-tomcat-el-3.0-api-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 82ac4da9ef0b784a032329478e1078022d6964d87a704f677aaf110d16b97f9c
jws5-tomcat-java-jdk11-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: bc47d6b2c508d4f8eee7df0de491ff29794964796ca9c1d439b0bfafd5cc82a8
jws5-tomcat-java-jdk8-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 9c90245959a612c681088652d2f8d1f2032bacddd0f0e3d95955fcf698180489
jws5-tomcat-javadoc-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: eac08b930a10d4ea7cfdfc159bd1d163e5d4067face30894a2b4d9081f90c711
jws5-tomcat-jsp-2.3-api-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: d3d0e745de6b1f38d728aa12b9a9c0573dfa2534e98a617035af7e39c5f623fc
jws5-tomcat-lib-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 87425180b3b0c5ae7b7e6e77dccca6b31c073ab1b92f7eb8a0ab1895f2cb311e
jws5-tomcat-selinux-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: f3e806e849f68eb61e0d4c1d6e25960bed39ae2a013f42c58f3b2527c3fefa55
jws5-tomcat-servlet-4.0-api-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 924742c81a1e113c9dfca2df7b2d94d00489c4c3610b905d1100e119a1f14b32
jws5-tomcat-webapps-9.0.62-13.redhat_00011.1.el7jws.noarch.rpm
SHA-256: 6b95081e66e23a90b34622bdf9f7cb0cbe114a66510fbc4aa6a36a58aba40370
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6880-1 - Sam Shahsavar discovered that Apache Tomcat did not properly reject HTTP requests with an invalid Content-Length header. A remote attacker could possibly use this issue to perform HTTP request smuggling attacks.
Red Hat Security Advisory 2023-4612-01 - Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.7.13 serves as a replacement for Red Hat support for Spring Boot 2.7.12, and includes security, bug fixes and enhancements. For more information, see the release notes linked in the References section. Issues addressed include bypass, code execution, denial of service, and deserialization vulnerabilities.
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46877: A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malici...
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Red Hat Security Advisory 2023-3954-01 - This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, code execution, denial of service, information leakage, resource exhaustion, server-side request forgery, and traversal vulnerabilities.
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2012-5783: It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or su...
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Dell SCG 5.14 contains an information disclosure vulnerability during the SRS to SCG upgrade path. A remote low privileged malicious user could potentially exploit this vulnerability to retrieve the plain text.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Red Hat Security Advisory 2023-1663-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.2 serves as a replacement for Red Hat JBoss Web Server 5.7.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Red Hat Security Advisory 2023-1663-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.2 serves as a replacement for Red Hat JBoss Web Server 5.7.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Red Hat Security Advisory 2023-1664-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.2 serves as a replacement for Red Hat JBoss Web Server 5.7.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Red Hat Security Advisory 2023-1664-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.2 serves as a replacement for Red Hat JBoss Web Server 5.7.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Red Hat JBoss Web Server 5.7.2 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Microsoft Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42252: A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack. * CVE-2022-45143: A fla...
Red Hat JBoss Web Server 5.7.2 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Microsoft Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42252: A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack. * CVE-2022-45143: A fla...
Debian Linux Security Advisory 5381-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
Debian Linux Security Advisory 5381-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.