redhat undertow CVE-2021-20220 in Red Hat and NetApp Products
Published on February 23, 2021

product logo product logo
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.

NVD

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2021-20220 has been classified to as a HTTP Request Smuggling vulnerability or weakness.


Products Associated with CVE-2021-20220

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-20220 are published in these products:

Red Hat Undertow
 
NetApp Active Iq Unified Manager
 
NetApp Oncommand Workflow Automation
 

Exploit Probability

EPSS
0.18%
Percentile
39.84%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.