Public Date:
1591072: CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers

The MITRE CVE dictionary describes this issue as:

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

Find out more about CVE-2018-12537 from the MITRE CVE dictionary dictionary and NIST NVD.


While the affected artifact is being shipped in Fuse 6.3 via camel-vertx component, the vulnerable code is not being used, therefore Fuse 6.3 is not affected.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact Low
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Application Runtimes 1.0 RHSA-2018:2371 2018-08-09
Red Hat JBoss Fuse 7 RHSA-2018:3768 2018-12-04

Affected Packages State

Platform Package State
Red Hat JBoss Fuse 6 vertx Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation