Redhat

Undertow

35 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2020-1745

  • EPSS 0.64%
  • Published 28.04.2020 15:15:13
  • Last modified 21.11.2024 05:11:17

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulne...

8.1

CVE-2020-1757

  • EPSS 0.46%
  • Published 21.04.2020 17:15:12
  • Last modified 21.11.2024 05:11:19

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the ...

7.5

CVE-2019-14888

  • EPSS 0.24%
  • Published 23.01.2020 17:15:11
  • Last modified 21.11.2024 04:27:36

A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.

9.8

CVE-2019-10212

  • EPSS 0.29%
  • Published 02.10.2019 19:15:11
  • Last modified 21.11.2024 04:18:39

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

7.5

CVE-2019-10184

  • EPSS 0.68%
  • Published 25.07.2019 21:15:11
  • Last modified 21.11.2024 04:18:36

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

9.8

CVE-2019-3888

  • EPSS 0.57%
  • Published 12.06.2019 14:29:04
  • Last modified 21.11.2024 04:42:48

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUE...

5.3

CVE-2018-14642

  • EPSS 0.75%
  • Published 18.09.2018 13:29:00
  • Last modified 21.11.2024 03:49:29

An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain...

6.5

CVE-2018-1114

  • EPSS 0.68%
  • Published 11.09.2018 15:29:00
  • Last modified 21.11.2024 03:59:12

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.

7.5

CVE-2017-2670

  • EPSS 5.97%
  • Published 27.07.2018 15:29:00
  • Last modified 21.11.2024 03:23:56

It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.

7.5

CVE-2017-12165

  • EPSS 1.1%
  • Published 27.07.2018 15:29:00
  • Last modified 21.11.2024 03:08:57

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.