{"id":"CVE-2017-7559","details":"In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.","aliases":["GHSA-rj76-h87p-r3wf"],"modified":"2026-04-10T04:00:56.258554Z","published":"2018-01-10T15:29:00.317Z","references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3454"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3455"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3456"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3458"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0002"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0005"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0003"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0004"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1322"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7559"},{"type":"REPORT","url":"https://issues.jboss.org/browse/UNDERTOW-1251"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/undertow-io/undertow","events":[{"introduced":"0b340d10071a6b73bb0b5412974fd342afbcd9ea"},{"fixed":"ca20c31781dd721837775b92ad5783d742546e17"},{"introduced":"967b5ecf796fe32afb9a131c7695f731b51303ca"},{"fixed":"9353aa465ba960f0c363fd9d8a164e42c0bccafa"},{"introduced":"0"},{"last_affected":"8947afcaa36dc1b8db3b355b9804893dc38a8abf"}],"database_specific":{"versions":[{"introduced":"1.3.0"},{"fixed":"1.3.31"},{"introduced":"1.4.0"},{"fixed":"1.4.17"},{"introduced":"0"},{"last_affected":"2.0.0-alpha1"}]}}],"versions":["1.3.0.Final","1.3.1.Final","1.3.10.Final","1.3.11.Final","1.3.12.Final","1.3.13.Final","1.3.14.Final","1.3.15.Final","1.3.16.Final","1.3.17.Final","1.3.18.Final","1.3.19.Final","1.3.2.Final","1.3.20.Final","1.3.21.Final","1.3.22.Final","1.3.23.Final","1.3.24.Final","1.3.25.Final","1.3.26.Final","1.3.27.Final","1.3.28.Final","1.3.3.Final","1.3.30.Final","1.3.5.Final","1.3.6.Final","1.3.7.Final","1.3.8.Final","1.3.9.Final","1.4.0.Final","1.4.1.Final","1.4.10.Final","1.4.11.Final","1.4.12.Final","1.4.13.Final","1.4.14.Final","1.4.15.Final","1.4.16.Final","1.4.2.Final","1.4.3.Final","1.4.4.Final","1.4.5.Final","1.4.6.Final","1.4.7.Final","1.4.8.Final","2.0.0.Alpha1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7559.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}