cbcvebase.

Redhat Undertow vulnerabilities

45 known vulnerabilities affecting redhat/undertow.

Total CVEs
45
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH24MEDIUM17

Vulnerabilities

Page 3 of 3
CVE-2018-1048HIGHCVSS 7.5≥ 0, < 1.4.22-12018-01-24
CVE-2018-1048 [HIGH] CVE-2018-1048: It was found that the AJP connector in undertow, as shipped in Jboss EAP 7 It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
osv
CVE-2017-7559MEDIUMCVSS 6.1≥ 1.3.0, < 1.3.31≥ 1.4.0, < 1.4.17+1 more2018-01-10
CVE-2017-7559 [MEDIUM] CVE-2017-7559: In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it wa In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpre
nvdosv
CVE-2016-7046MEDIUMCVSS 5.9≥ 0, < 1.4.3-12016-10-03
CVE-2016-7046 [MEDIUM] CVE-2016-7046: Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via a long URL.
osv
CVE-2016-4993MEDIUMCVSS 6.1≥ 0, < 1.4.3-12016-09-26
CVE-2016-4993 [MEDIUM] CVE-2016-4993: CRLF injection vulnerability in the Undertow web server in WildFly 10 CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
osv
CVE-2014-7816MEDIUMCVSS 5.0PoC≤ 1.0.16≤ 1.1.0+1 more2014-12-01
CVE-2014-7816 [MEDIUM] CWE-22 CVE-2014-7816: Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.
nvd
← Previous3 / 3