VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-651q-4kpk-bbba

Essentials
Severities (25)
References (20)
Severity details (11)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-651q-4kpk-bbba
Aliases	CVE-2021-20220 GHSA-qjwc-v72v-fq6r
Summary	HTTP request smuggling in Undertow A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	4.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20220.json
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2021-20220
cvssv3.1	4.8	https://bugzilla.redhat.com/show_bug.cgi?id=1923133
generic_textual	MODERATE	https://bugzilla.redhat.com/show_bug.cgi?id=1923133
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-qjwc-v72v-fq6r
cvssv3.1	4.8	https://github.com/undertow-io/undertow/commit/9e797b2f99617fdad0471eaa88c711ee7f44605f
generic_textual	MODERATE	https://github.com/undertow-io/undertow/commit/9e797b2f99617fdad0471eaa88c711ee7f44605f
cvssv2	5.8	https://nvd.nist.gov/vuln/detail/CVE-2021-20220
cvssv3.1	4.8	https://nvd.nist.gov/vuln/detail/CVE-2021-20220
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2021-20220
cvssv3.1	4.8	https://security.netapp.com/advisory/ntap-20220210-0013
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20220210-0013

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20220.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-20220
		https://bugzilla.redhat.com/show_bug.cgi?id=1923133
		https://github.com/undertow-io/undertow/commit/9e797b2f99617fdad0471eaa88c711ee7f44605f
		https://nvd.nist.gov/vuln/detail/CVE-2021-20220
		https://security.netapp.com/advisory/ntap-20220210-0013
		https://security.netapp.com/advisory/ntap-20220210-0013/
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:redhat:undertow::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow::::::::
GHSA-qjwc-v72v-fq6r		https://github.com/advisories/GHSA-qjwc-v72v-fq6r
RHSA-2021:0872		https://access.redhat.com/errata/RHSA-2021:0872
RHSA-2021:0873		https://access.redhat.com/errata/RHSA-2021:0873
RHSA-2021:0874		https://access.redhat.com/errata/RHSA-2021:0874
RHSA-2021:0885		https://access.redhat.com/errata/RHSA-2021:0885
RHSA-2021:0974		https://access.redhat.com/errata/RHSA-2021:0974
RHSA-2021:2210		https://access.redhat.com/errata/RHSA-2021:2210
RHSA-2021:2755		https://access.redhat.com/errata/RHSA-2021:2755

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20220.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=1923133

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/undertow-io/undertow/commit/9e797b2f99617fdad0471eaa88c711ee7f44605f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-20220

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-20220

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20220210-0013

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.53596
EPSS Score	0.0031
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:19:43.738018+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-qjwc-v72v-fq6r/GHSA-qjwc-v72v-fq6r.json	36.1.3