Candidate: CVE-2017-7559
PublicDate: 2018-01-10 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7559
Description:
 In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x
 before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was
 incomplete and invalid characters are still allowed in the query string and
 path parameters. This could be exploited, in conjunction with a proxy that
 also permitted the invalid characters but with a different interpretation,
 to inject data into the HTTP response. By manipulating the HTTP response
 the attacker could poison a web-cache, perform an XSS attack, or obtain
 sensitive information from requests other than their own.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_undertow:
upstream_undertow: released (1.4.23-1)
precise/esm_undertow: DNE
trusty_undertow: DNE
trusty/esm_undertow: DNE
xenial_undertow: ignored (end of standard support, was needed)
zesty_undertow: ignored (reached end-of-life)
artful_undertow: ignored (reached end-of-life)
bionic_undertow: not-affected (1.4.23-3)
cosmic_undertow: not-affected (1.4.23-3)
disco_undertow: not-affected (1.4.23-3)
eoan_undertow: not-affected (1.4.23-3)
focal_undertow: not-affected (1.4.23-3)
groovy_undertow: not-affected (1.4.23-3)
hirsute_undertow: not-affected (1.4.23-3)
impish_undertow: not-affected (1.4.23-3)
jammy_undertow: not-affected (1.4.23-3)
devel_undertow: not-affected (1.4.23-3)