Undertow Security Vulnerabilities and Issues — Undertow CVE List

Lucene search

RedhatUndertow

8 matches found

CVE•added 2018/04/18 1:29 a.m.•442 views

CVE-2017-12196

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the des...

5.9CVSS5.6AI score0.00401EPSS

CVE•added 2022/05/24 7:15 p.m.•259 views

CVE-2021-3629

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and...

5.9CVSS6AI score0.00093EPSS

CVE•added 2014/12/01 3:59 p.m.•210 views

CVE-2014-7816

Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

5CVSS6.6AI score0.54404EPSS

CVE•added 2022/05/24 7:15 p.m.•195 views

CVE-2021-3597

A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1...

5.9CVSS5.5AI score0.0017EPSS

CVE•added 2020/09/23 1:15 p.m.•193 views

CVE-2020-10687

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS at...

5.8CVSS5.4AI score0.02955EPSS

CVE•added 2024/02/12 9:15 p.m.•186 views

CVE-2024-1459

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

5.3CVSS5AI score0.07724EPSS

CVE•added 2021/02/23 6:15 p.m.•180 views

CVE-2021-20220

A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS att...

5.8CVSS5.4AI score0.02955EPSS

CVE•added 2018/09/18 1:29 p.m.•98 views

CVE-2018-14642

An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

5.3CVSS5.4AI score0.00776EPSS