Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Undertow
(Redhat)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 34 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-02-23 | CVE-2022-4492 | The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. | Build_of_quarkus, Integration_camel_for_spring_boot, Integration_camel_k, Integration_service_registry, Jboss_enterprise_application_platform, Jboss_fuse, Migration_toolkit_for_applications, Migration_toolkit_for_runtimes, Single_sign\-On, Undertow | 7.5 | ||
| 2020-04-21 | CVE-2020-1757 | A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. | Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Undertow | 8.1 | ||
| 2020-04-28 | CVE-2020-1745 | A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this... | Undertow | 9.8 | ||
| 2021-02-23 | CVE-2021-20220 | A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity. | Active_iq_unified_manager, Oncommand_workflow_automation, Undertow | 4.8 |