Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Undertow
(Redhat)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 34 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-04-28 | CVE-2020-1745 | A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this... | Undertow | 9.8 | ||
| 2023-12-12 | CVE-2023-5379 | A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This... | Jboss_enterprise_application_platform, Single_sign\-On, Undertow | 7.5 | ||
| 2018-05-21 | CVE-2018-1067 | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value. | Jboss_enterprise_application_platform, Undertow, Virtualization_host | 6.1 | ||
| 2020-05-26 | CVE-2020-10719 | A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. | Active_iq_unified_manager, Oncommand_insight, Oncommand_workflow_automation, Fuse, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On, Undertow | 6.5 | ||
| 2020-09-23 | CVE-2020-10687 | A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. | Jboss_enterprise_application_platform, Single_sign\-On, Undertow | 4.8 | ||
| 2022-08-23 | CVE-2021-3690 | A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability. | Fuse, Integration_camel_k, Integration_camel_quarkus, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On, Undertow | 7.5 | ||
| 2023-02-23 | CVE-2022-4492 | The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. | Build_of_quarkus, Integration_camel_for_spring_boot, Integration_camel_k, Integration_service_registry, Jboss_enterprise_application_platform, Jboss_fuse, Migration_toolkit_for_applications, Migration_toolkit_for_runtimes, Single_sign\-On, Undertow | 7.5 | ||
| 2022-05-24 | CVE-2021-3629 | A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. | Active_iq_unified_manager, Oncommand_insight, Oncommand_workflow_automation, Integration, Jboss_enterprise_application_platform, Single_sign\-On, Undertow, Wildfly_core | 5.9 | ||
| 2022-08-26 | CVE-2021-3859 | A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks. | Cloud_secure_agent, Oncommand_insight, Oncommand_workflow_automation, Jboss_enterprise_application_platform, Single_sign\-On, Undertow | 7.5 | ||
| 2022-05-24 | CVE-2021-3597 | A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final. | Active_iq_unified_manager, Oncommand_insight, Oncommand_workflow_automation, Fuse, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On, Undertow | 5.9 |