Lucene search

Undertow Security Vulnerabilities - 2023

cve

CVE-2022-4492

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

7.5CVSS

7.3AI Score

0.001EPSS

2023-02-23 08:15 PM

cve

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5CVSS

7AI Score

0.001EPSS

2023-09-14 03:15 PM

2532

cve

CVE-2023-3223

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass...

7.5CVSS

7.2AI Score

0.025EPSS

2023-09-27 03:18 PM

507

cve

CVE-2023-5379

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluste...

7.5CVSS

7.3AI Score

0.001EPSS

2023-12-12 10:15 PM

152