Redhat

Undertow

35 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-9784

  • EPSS 0.22%
  • Published 02.09.2025 13:37:59
  • Last modified 24.09.2025 14:15:52

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload b...

5.3

CVE-2024-1459

  • EPSS 7.72%
  • Published 12.02.2024 21:15:08
  • Last modified 22.11.2024 12:15:18

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files...

7.5

CVE-2023-5379

  • EPSS 0.23%
  • Published 12.12.2023 22:15:22
  • Last modified 21.11.2024 08:41:39

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJ...

7.5

CVE-2023-3223

  • EPSS 0.88%
  • Published 27.09.2023 15:18:56
  • Last modified 21.11.2024 08:16:44

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshol...

7.5

CVE-2023-1108

  • EPSS 2.56%
  • Published 14.09.2023 15:15:08
  • Last modified 21.11.2024 07:38:28

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5

CVE-2022-4492

  • EPSS 0.12%
  • Published 23.02.2023 20:15:12
  • Last modified 12.03.2025 15:15:38

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol...

4.9

CVE-2022-2764

  • EPSS 0.12%
  • Published 01.09.2022 21:15:09
  • Last modified 21.11.2024 07:01:39

A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.

7.5

CVE-2022-1259

  • EPSS 0.18%
  • Published 31.08.2022 16:15:09
  • Last modified 21.11.2024 06:40:21

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

7.5

CVE-2022-1319

  • EPSS 0.23%
  • Published 31.08.2022 16:15:09
  • Last modified 21.11.2024 06:40:28

A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400...

7.5

CVE-2021-3859

  • EPSS 0.9%
  • Published 26.08.2022 16:15:09
  • Last modified 21.11.2024 06:22:40

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.