CVE-2018-12537

Description

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

How to fix CVE-2018-12537

To remediate CVE-2018-12537, upgrade the affected package to a fixed version below.

• Maven/io.vertx:vertx-core—upgrade to 3.5.2 or later

Is CVE-2018-12537 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 3.0.0, < 3.5.2

References (9)

• ADVISORYgithub.com/advisories/GHSA-6cw8-7j6c-hccp
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-12537
• WEBaccess.redhat.com/errata/RHSA-2018:2371
• WEBaccess.redhat.com/errata/RHSA-2018:3768
• WEB