Redhat

Undertow

39 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.68%
  • Veröffentlicht 27.03.2026 16:13:05
  • Zuletzt bearbeitet 10.06.2026 22:16:56

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can...

  • EPSS 0.71%
  • Veröffentlicht 27.03.2026 16:13:05
  • Zuletzt bearbeitet 29.06.2026 10:16:30

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Go...

  • EPSS 0.7%
  • Veröffentlicht 27.03.2026 16:13:03
  • Zuletzt bearbeitet 29.06.2026 10:16:31

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exp...

  • EPSS 1.18%
  • Veröffentlicht 07.01.2026 16:04:22
  • Zuletzt bearbeitet 30.06.2026 05:17:10

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed ...

  • EPSS 2.17%
  • Veröffentlicht 02.09.2025 13:37:59
  • Zuletzt bearbeitet 30.06.2026 03:17:01

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload b...

  • EPSS 1.71%
  • Veröffentlicht 12.02.2024 21:15:08
  • Zuletzt bearbeitet 24.10.2025 14:15:38

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files...

  • EPSS 1.02%
  • Veröffentlicht 12.12.2023 22:15:22
  • Zuletzt bearbeitet 25.10.2025 01:15:42

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJ...

  • EPSS 2.04%
  • Veröffentlicht 27.09.2023 15:18:56
  • Zuletzt bearbeitet 21.11.2024 08:16:44

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshol...

  • EPSS 1.77%
  • Veröffentlicht 14.09.2023 15:15:08
  • Zuletzt bearbeitet 21.11.2024 07:38:28

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

  • EPSS 0.6%
  • Veröffentlicht 23.02.2023 20:15:12
  • Zuletzt bearbeitet 12.03.2025 15:15:38

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol...