Source: undertow Version: 1.4.3-1 Severity: important Tags: security upstream Forwarded: https://issues.jboss.org/browse/UNDERTOW-1302
Hi, The following vulnerability was published for undertow, the original CVE-2016-4993 fixed via 1.4.3 upstream was incomplete. No fix available at the time of writing. CVE-2018-1067[0]: | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the | fix for CVE-2016-4993 was incomplete and Undertow web server is | vulnerable to the injection of arbitrary HTTP headers, and also | response splitting, due to insufficient sanitization and validation of | user input before the input is used as part of an HTTP header value. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1067 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1067 [1] https://issues.jboss.org/browse/UNDERTOW-1302 Regards, Salvatore

