CVE-2018-12537
N/A
N/A
Summary
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The Eclipse Foundation | Eclipse Vert.x | 3.0 < unspecified | affected |
| The Eclipse Foundation | Eclipse Vert.x | unspecified <= 3.5.1 | affected |
Weaknesses
- CWE-93: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/eclipse/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72
- https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-021_vertx.txt
- https://access.redhat.com/errata/RHSA-2018:2371
- https://github.com/eclipse/vert.x/issues/2470
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038
- https://access.redhat.com/errata/RHSA-2018:3768
- https://bugzilla.redhat.com/show_bug.cgi?id=1591072
References
- https://github.com/eclipse/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72
- https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-021_vertx.txt
- https://access.redhat.com/errata/RHSA-2018:2371
- https://github.com/eclipse/vert.x/issues/2470
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038
- https://access.redhat.com/errata/RHSA-2018:3768
- https://bugzilla.redhat.com/show_bug.cgi?id=1591072
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.