Candidate: CVE-2020-10687
PublicDate: 2020-09-23 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10687
 https://bugzilla.redhat.com/show_bug.cgi?id=1785049
Description:
 A flaw was discovered in all versions of Undertow before Undertow
 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is
 possible against HTTP/1.x and HTTP/2 due to permitting invalid characters
 in an HTTP request. This flaw allows an attacker to poison a web-cache,
 perform an XSS attack, or obtain sensitive information from request other
 than their own.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N [4.8 MEDIUM]


Patches_undertow:
upstream_undertow: needs-triage
precise/esm_undertow: DNE
trusty_undertow: ignored (out of standard support)
trusty/esm_undertow: DNE
xenial_undertow: ignored (end of standard support, was needs-triage)
bionic_undertow: needs-triage
eoan_undertow: ignored (reached end-of-life)
focal_undertow: needs-triage
groovy_undertow: ignored (reached end-of-life)
hirsute_undertow: not-affected (2.2.3-1)
impish_undertow: not-affected (2.2.3-1)
jammy_undertow: not-affected (2.2.3-1)
devel_undertow: not-affected (2.2.3-1)