A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.

Affected Packages

Maven io.undertow:undertow-core

Affected versions: 2.1.0 (fixed in 2.1.6)

Maven io.undertow:undertow-core

Affected versions: 0 (fixed in 2.0.34)

Related CVEs

CVE-2021-20220

Key Information

GHSA ID

GHSA-qjwc-v72v-fq6r

Published

June 16, 2021 5:47 PM

Last Modified

February 11, 2022 9:11 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

io.undertow:undertow-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 3, 2025 6:16 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.