9.1
CVE-2026-28367
- EPSS 0.05%
- Veröffentlicht 27.03.2026 16:13:05
- Zuletzt bearbeitet 10.04.2026 14:22:53
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer, potentially leading to unauthorized access or manipulation of web requests.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Apache Camel - Hawtio Version4.0
Redhat ≫ Build Of Apache Camel For Spring Boot Version4.0
Redhat ≫ Jboss Enterprise Application Platform Version7.0.0
Redhat ≫ Jboss Enterprise Application Platform Version8.0.0
Redhat ≫ Process Automation Version7.0
Redhat ≫ Single Sign-on Version7.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.144 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| secalert@redhat.com | 8.7 | 2.2 | 5.8 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
|
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.