CVE-2018-12537
Summary
| CVE | CVE-2018-12537 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-08-14 19:29:00 UTC |
| Updated | 2019-10-09 23:34:00 UTC |
| Description | In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-021_vertx.txt | MISC | www.compass-security.com | Third Party Advisory |
| 1591072 – (CVE-2018-12537) CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers | CONFIRM | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Http header CR / LF validation - fixes #2470 · eclipse-vertx/vert.x@1bb6445 · GitHub | CONFIRM | github.com | Third Party Advisory |
| 536038 – (CVE-2018-12537) CVE-2018-12537: vert.x: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers | CONFIRM | bugs.eclipse.org | Issue Tracking, Third Party Advisory |
| Http header CR / LF validation · Issue #2470 · eclipse-vertx/vert.x · GitHub | CONFIRM | github.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 983091 Java (maven) Security Update for io.vertx:vertx-core (GHSA-6cw8-7j6c-hccp)