Lucene search
K

28 matches found

CVE
CVE
added 2023/09/14 2:48 p.m.2759 views

CVE-2023-1108

CVE-2023-1108 affects Undertow within Red Hat JBoss EAP 7.3.x (SSLConduit) where an infinite loop on close can cause DoS. Connected RHSA-2025-9583 confirms the issue and indicates a fix in the eap-7.3.z line (Patched Undertow). Remediation is to upgrade to the patched EAP 7.3.x release (eap-7.3.z...

7.5CVSS7.3AI score0.01771EPSS
CVE
CVE
added 2017/10/03 3:0 p.m.1600 views

CVE-2017-12617

CVE-2017-12617 concerns Apache Tomcat JSP upload via HTTP PUT when readonly=false and PUTs are allowed. Affected: Tomcat 7.x/8.x/9.x (various 7.0.0–7.0.81, 8.0.0.RC1–8.0.46, 8.5.0–8.5.22, 9.0.0.M1–9.0.0) with PUT enabled. Root cause: PUT request handling allowed uploading a JSP, enabling remote c...

8.1CVSS7.5AI score0.99988EPSS
In wild
CVE
CVE
added 2015/02/17 3:0 p.m.1260 views

CVE-2015-1427

CVE-2015-1427 concerns Elasticsearch’s Groovy scripting engine, where dynamic scripting was enabled by default in versions before 1.3.8 (and 1.4.x before 1.4.3). The root cause is a sandbox bypass in the Groovy sandbox that allows remote attackers to execute arbitrary shell commands via a crafted...

9.8CVSS9.2AI score0.99906EPSS
In wildWeb
CVE
CVE
added 2016/06/07 2:0 p.m.1248 views

CVE-2016-4437

The CVE-2016-4437 issue affects Apache Shiro before 1.2.5 when no cipher key is configured for the rememberMe feature, enabling remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Public advisories describe an RCE condition with ...

9.8CVSS8.3AI score0.93143EPSS
In wildWeb
CVE
CVE
added 2017/04/17 9:0 p.m.599 views

CVE-2017-5645

CVE-2017-5645 affects Apache Log4j 2.x prior to 2.8.2. The vulnerability arises when using a TCP/UDP socket server to receive serialized log events from another application; a crafted binary payload can be deserialized to execute arbitrary code. The documented impact is remote code execution via ...

9.8CVSS9.5AI score0.8904EPSS
CVE
CVE
added 2022/08/23 3:50 p.m.342 views

CVE-2021-3690

CVE-2021-3690 affects Undertow: a buffer leak on the incoming WebSocket PONG message can cause memory exhaustion leading to DoS. The vulnerability impacts Undertow-based components (WebSocket handling). A security update/patch for Undertow is available per OSV/OESA entries; exploit details are no...

7.5CVSS7.1AI score0.01375EPSS
CVE
CVE
added 2024/02/19 9:23 p.m.299 views

CVE-2024-1635

Undertow vulnerability CVE-2024-1635 affects servers supporting the wildfly-http-client protocol. The issue arises during HTTP upgrade to remoting: WriteTimeoutStreamSinkConduit is not notified when a RemotingConnection is closed, causing timeout tasks to leak and accumulate, which leaks connecti...

7.5CVSS7.4AI score0.04572EPSS
CVE
CVE
added 2019/11/08 2:46 p.m.294 views

CVE-2019-10219

The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...

6.5CVSS6AI score0.02167EPSS
CVE
CVE
added 2020/07/06 6:35 p.m.294 views

CVE-2019-14900

CVE-2019-14900 affects Hibernate ORM prior to 5.3.18, 5.4.18, and 5.5.0.Beta1. The flaw is a SQL injection in the JPA Criteria API implementation that can permit unsanitized literals in the SELECT or GROUP BY clauses, enabling an attacker to access unauthorized information. The connected document...

6.5CVSS6.7AI score0.02126EPSS
CVE
CVE
added 2018/04/06 1:0 p.m.277 views

CVE-2018-1270

Summary: CVE-2018-1270 affects Spring Framework versions 5.0.x before 5.0.5 and 4.3.x before 4.3.15 (and older unsupported) via the spring-messaging module, which can expose STOMP over WebSocket endpoints to a simple in-memory broker. A malicious actor can craft a message to the broker that leads...

9.8CVSS9.4AI score0.77245EPSS
Web
CVE
CVE
added 2022/05/24 6:19 p.m.272 views

CVE-2021-3597

CVE-2021-3597 affects Undertow’s HTTP2SourceChannel and can cause DoS by failing to write the final frame. Affected products/versions include Undertow releases prior to 2.0.35.SP1, 2.2.6.SP1, 2.2.7.SP1, 2.0.36.SP1, 2.2.9.Final and 2.0.39.Final. The vulnerability is addressed in Red Hat JBoss EAP ...

5.9CVSS5.5AI score0.01061EPSS
CVE
CVE
added 2019/05/23 1:42 p.m.255 views

CVE-2019-0201

CVE-2019-0201 affects Apache ZooKeeper up to versions 3.4.13 and 3.5.4-beta, where getACL() does not enforce permissions and returns the ACL Id in plaintext. When Digest Authentication is in use, the unsalted hash value contained in the Id field can be disclosed to unauthenticated or unprivileged...

5.9CVSS5.8AI score0.09634EPSS
CVE
CVE
added 2020/05/26 2:57 p.m.251 views

CVE-2020-10719

Undertow under CVE-2020-10719 is vulnerable in versions before 2.1.1.Final due to improper handling of invalid HTTP requests with large chunk sizes, enabling HTTP request smuggling. Several connected sources (Red Hat advisories, Mageia security advisory) confirm a fix/update to Undertow 2.1.1.Fin...

6.5CVSS6AI score0.01005EPSS
CVE
CVE
added 2018/05/11 8:0 p.m.250 views

CVE-2018-1258

CVE-2018-1258 affects Spring Framework 5.0.5 when used with any Spring Security version, enabling an authorization bypass for method security. An unauthorized user could access restricted methods. The connected advisory from F5 reiterates the same vulnerability description and lists affected prod...

8.8CVSS9AI score0.02427EPSS
CVE
CVE
added 2019/03/25 9:43 p.m.225 views

CVE-2019-0204

CVE-2019-0204 affects Apache Mesos (pre-1.4.x, and 1.4.0–1.4.2, 1.5.0–1.5.2, 1.6.0–1.6.1, 1.7.0–1.7.1). A crafted Docker image run as root can overwrite the container runtime init helper binary and/or the Mesos command executor, enabling root-level code execution on the host. Public records in th...

9.3CVSS7.9AI score0.02712EPSS
In wild
CVE
CVE
added 2022/08/24 3:2 p.m.191 views

CVE-2021-4178

CVE-2021-4178 affects the Fabric8 Kubernetes client (versions 5.0.0-beta-1 and newer) due to unsafe YAML parsing in unmarshalYaml, enabling local, privileged code execution via a crafted YAML payload. The issue is confirmed across multiple sources (NVD/NVD-derived entry and Red Hat/Jenkins adviso...

6.7CVSS6.7AI score0.00309EPSS
CVE
CVE
added 2021/05/27 6:45 p.m.180 views

CVE-2020-10688

CVE-2020-10688 affects RESTEasy prior to 3.11.1.Final and 4.5.3.Final, where improper URL encoding during RESTEASY003870 exception handling enables a reflected XSS attack. The issue resides in the RESTEasy component and enables an attacker to execute script in a victim’s browser when user-supplie...

6.1CVSS5.7AI score0.01394EPSS
CVE
CVE
added 2020/10/30 12:0 a.m.174 views

CVE-2020-25689

CVE-2020-25689 : In WildFly, all versions up to 21.0.0.Final exhibit a memory-leak in the host-controller when reconnection attempts loop, causing new connections to be created but not properly closed. This can trigger an Out of Memory (OOM) condition and denial of service, primarily affecting av...

6.8CVSS6.1AI score0.01469EPSS
CVE
CVE
added 2026/01/07 4:4 p.m.168 views

CVE-2025-12543

Undertow core in WildFly/JBoss EAP is affected by CVE-2025-12543 due to improper validation of the Host header in HTTP requests. This can allow cache poisoning, internal network discovery, or user session hijacking. The CVSSv3.1 base score is 9.6 (CRITICAL) with network access, low attack complex...

9.6CVSS6.2AI score0.01179EPSS
CVE
CVE
added 2019/11/25 10:26 a.m.162 views

CVE-2019-10174

CVE-2019-10174 concerns Infinispan. The public ReflectionUtil.invokeAccessibly method allows an application class to invoke private methods in any class with Infinispan’s privileges, enabling unintended behavior changes via reflection. Connected advisories (OSV/RHSA) reference a security fix path...

8.8CVSS8.3AI score0.03089EPSS
CVE
CVE
added 2018/03/16 8:0 p.m.150 views

CVE-2018-1199

CVE-2018-1199 affects Spring Security (4.1.x before 4.1.5, 4.2.x before 4.2.4, 5.0.x before 5.0.1) and Spring Framework (4.3.x before 4.3.14, 5.0.x before 5.0.3). The issue is that URL path parameters are not consistently handled when evaluating security constraints, allowing an attacker to bypas...

5.3CVSS5.3AI score0.02857EPSS
CVE
CVE
added 2017/04/29 7:0 p.m.144 views

CVE-2017-7957

CVE-2017-7957 arises from XStream up to version 1.4.9 mishandling attempts to create an instance of the primitive type void during unmarshalling, which can cause a remote application crash when unmarshalling . The vulnerability is documented across multiple sources (e.g., Nessus/IBM/Guardium bull...

7.5CVSS7.3AI score0.04928EPSS
CVE
CVE
added 2019/11/08 2:45 p.m.127 views

CVE-2019-14860

CVE-2019-14860 affects Red Hat Fuse / Syndesis: the Syndesis CORS configuration was identified as allowing all origins, enabling potential phishing and unauthorized information access. The root cause is a default CORS policy that is too permissive for cross-origin requests. Public advisories (RHS...

7.4CVSS6.3AI score0.01165EPSS
CVE
CVE
added 2026/03/27 4:13 p.m.100 views

CVE-2026-28369

Undertow contains a vulnerability where the first HTTP header line with leading spaces is stripped, violating HTTP standards and enabling request smuggling. Affected component: Undertow HTTP header parsing. Root cause: improper handling that trims leading spaces on the initial header line. Impact...

9.1CVSS5.9AI score0.00677EPSS
CVE
CVE
added 2025/09/02 1:37 p.m.79 views

CVE-2025-9784

CVE-2025-9784 (MadeYouReset) is a Denial of Service flaw in Undertow where malformed client requests trigger server-side stream resets, allowing high resource load via HTTP/2. The Red Hat/IBM advisory ties the affected product to IBM InfoSphere Information Server (11.7.x) using Undertow; affected...

7.5CVSS5.9AI score0.0217EPSS
CVE
CVE
added 2026/03/27 4:13 p.m.68 views

CVE-2026-28367

Undertow contains a flaw that allows HTTP request smuggling by sending a header terminator of \r\r\r. A remote attacker could exploit this against certain proxies (e.g., older Apache Traffic Server, Google Cloud Classic Application Load Balancer) to cause unauthorized access or manipulation of we...

9.1CVSS5.8AI score0.00706EPSS
CVE
CVE
added 2026/03/27 4:13 p.m.41 views

CVE-2026-28368

A vulnerability (CVE-2026-28368) affects Undertow and involves a discrepancy in header parsing between Undertow and upstream proxies, enabling HTTP request smuggling. Reported across multiple sources (NVD, Debian/Ubuntu OSV, Circl, GitHub advisories, and Nessus plugin) with confirmed references t...

9.1CVSS5.9AI score0.00704EPSS
CVE
CVE
added 2026/03/13 3:8 a.m.17 views

CVE-2025-57849

CVE-2025-57849 describes a container privilege escalation in certain Fuse images caused by the /etc/passwd file being created with group-writable permissions during build time. In affected containers, a non-root user who can run commands could use root-group membership to modify /etc/passwd, enab...

6.4CVSS6AI score0.00208EPSS