Vulnerabilities > Redhat > Undertow

DATE CVE VULNERABILITY TITLE RISK
2020-04-21 CVE-2020-1757 Improper Input Validation vulnerability in Redhat products
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
network
low complexity
redhat CWE-20
8.1
2020-01-23 CVE-2019-14888 A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS.
network
low complexity
redhat netapp
7.5
2019-10-02 CVE-2019-10212 Information Exposure Through Log Files vulnerability in multiple products
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security.
network
low complexity
redhat netapp CWE-532
critical
9.8
2019-07-25 CVE-2019-10184 Missing Authorization vulnerability in multiple products
undertow before version 2.0.23.Final is vulnerable to an information leak issue.
network
low complexity
redhat netapp CWE-862
7.5
2019-06-12 CVE-2019-3888 Information Exposure Through Log Files vulnerability in multiple products
A vulnerability was found in Undertow web server before 2.0.21.
network
low complexity
redhat netapp CWE-532
critical
9.8
2018-09-18 CVE-2018-14642 Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform and Undertow
An information leak vulnerability was found in Undertow.
network
low complexity
redhat CWE-200
5.3
2018-09-11 CVE-2018-1114 Resource Exhaustion vulnerability in Redhat Undertow, Virtualization and Virtualization Host
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust.
network
low complexity
redhat CWE-400
6.5
2018-07-27 CVE-2017-2670 Infinite Loop vulnerability in multiple products
It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.
network
low complexity
redhat debian CWE-835
7.5
2018-07-27 CVE-2017-12165 HTTP Request Smuggling vulnerability in Redhat Undertow
It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.
network
low complexity
redhat CWE-444
7.5
2018-07-27 CVE-2017-2666 HTTP Request Smuggling vulnerability in multiple products
It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters.
network
low complexity
redhat debian CWE-444
6.5