Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1591072 - (CVE-2018-12537) CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers
CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1591073
  Show dependency treegraph
Reported: 2018-06-13 22:12 EDT by Sam Fowler
Modified: 2018-10-08 17:25 EDT (History)
12 users (show)

See Also:
Fixed In Version: vertx 3.5.2
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2371 None None None 2018-08-09 10:39 EDT

  None (edit)
Description Sam Fowler 2018-06-13 22:12:43 EDT
Eclipse Vert.x before version 3.5.2 does not properly neutralize CR and LF characters in HTTP request before return responses. A remote attacker could exploit this to inject abritrary HTTP response headers to potentially mount cross-site scripting and cache poisoning attacks.

External Reference:


Upstream Issue:


Upstream Patch:

Comment 1 Andrej Nemec 2018-06-19 05:17:28 EDT

Comment 2 Hooman Broujerdi 2018-06-21 23:09:15 EDT

While the affected artifact is being shipped in Fuse 6.3 via camel-vertx component, the vulnerable code is not being used, therefore Fuse 6.3 is not affected.
Comment 5 errata-xmlrpc 2018-08-09 10:39:37 EDT
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:2371 https://access.redhat.com/errata/RHSA-2018:2371

Note You need to log in before you can comment on or make changes to this bug.