Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
RedhatUndertow

16 matches found

CVE
CVEadded 2023/09/14 3:15 p.m.2602 views

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5CVSS7.3AI score0.0481EPSS
CVE
CVEadded 2023/09/27 3:18 p.m.559 views

CVE-2023-3223

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass...

7.5CVSS7.3AI score0.00767EPSS
CVE
CVEadded 2018/07/27 3:29 p.m.423 views

CVE-2017-12165

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

7.5CVSS7.4AI score0.01096EPSS
CVE
CVEadded 2018/07/27 3:29 p.m.404 views

CVE-2017-2670

It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.

7.5CVSS7.4AI score0.07915EPSS
CVE
CVEadded 2019/07/25 9:15 p.m.306 views

CVE-2019-10184

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

7.5CVSS7.2AI score0.01089EPSS
CVE
CVEadded 2022/08/23 4:15 p.m.255 views

CVE-2021-3690

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

7.5CVSS7.1AI score0.00557EPSS
CVE
CVEadded 2022/08/26 4:15 p.m.216 views

CVE-2021-3859

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

7.5CVSS7.1AI score0.00191EPSS
CVE
CVEadded 2023/12/12 10:15 p.m.188 views

CVE-2023-5379

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluste...

7.5CVSS7.3AI score0.00128EPSS
CVE
CVEadded 2022/08/05 4:15 p.m.182 views

CVE-2022-2053

When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (...

7.5CVSS7.2AI score0.00434EPSS
CVE
CVEadded 2021/02/23 7:15 p.m.169 views

CVE-2020-27782

A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affect...

7.8CVSS7.1AI score0.00313EPSS
CVE
CVEadded 2022/08/31 4:15 p.m.163 views

CVE-2022-1319

A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADE...

7.5CVSS7.3AI score0.002EPSS
CVE
CVEadded 2020/01/23 5:15 p.m.157 views

CVE-2019-14888

A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.

7.5CVSS7.2AI score0.00342EPSS
CVE
CVEadded 2023/02/23 8:15 p.m.138 views

CVE-2022-4492

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

7.5CVSS7.3AI score0.00121EPSS
CVE
CVEadded 2022/08/31 4:15 p.m.131 views

CVE-2022-1259

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

7.5CVSS6.3AI score0.00151EPSS
CVE
CVEadded 2020/06/10 8:15 p.m.129 views

CVE-2020-10705

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.

7.5CVSS7.1AI score0.00384EPSS
CVE
CVEadded 2021/03/23 9:15 p.m.128 views

CVE-2019-19343

A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be...

7.5CVSS7.3AI score0.00507EPSS