io.undertow:undertow-core@2.1.2.Final vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the io.undertow:undertow-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Denial of Service (DoS)

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Denial of Service (DoS) in flow control handling by the browser over HTTP/2. This may cause overhead or a denial of service in the server. This is due to an incomplete fix of CVE-2021-3629.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-core to version 2.2.25.Final, 2.3.6.Final or higher.

[0,2.2.25.Final) [2.3.0.Alpha1,2.3.6.Final)
  • H
Improper Certificate Validation

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Improper Certificate Validation via the undertow client which does not check the server identity presented by the server certificate in https connections.

How to fix Improper Certificate Validation?

Upgrade io.undertow:undertow-core to version 2.2.24.Final, 2.3.5.Final or higher.

[0,2.2.24.Final) [2.3.0.Alpha1,2.3.5.Final)
  • H
Denial of Service (DoS)

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Denial of Service (DoS) via an AJP 400 response, when EAP 7 is improperly sending two response packets, those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-core to version 2.2.18, 2.3.0.Alpha2 or higher.

[,2.2.18) [2.3.0.Alpha1,2.3.0.Alpha2)
  • M
Denial of Service (DoS)

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Denial of Service (DoS) when a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize). The AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy which will result in a front-end proxy marking the backend worker as an error state and not forward requests to the worker for a while.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-core to version 2.2.19.Final, 2.3.0.Alpha2 or higher.

[,2.2.19.Final) [2.3.0.Alpha1,2.3.0.Alpha2)
  • M
Denial of Service (DoS)

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to an issue in the flow control handling by the browser over http/2.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-core to version 2.0.40.Final, 2.2.11.Final or higher.

[,2.0.40.Final) [2.1.0.Final,2.2.11.Final)
  • H
Denial of Service (DoS)

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Denial of Service (DoS) which would cause client side invocation timeout with certain calls made over HTTP2.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-core to version 2.2.15.Final or higher.

[0,2.2.15.Final)
  • M
Denial of Service (DoS)

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to final frame write failure in HTTP2SourceChannel under certain circumstances.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-core to version 2.2.8.Final or higher.

[0,2.2.8.Final)
  • M
HTTP Request Smuggling

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to HTTP Request Smuggling. A regression issue reintroduced undertow's fix for CVE-2020-10687.

How to fix HTTP Request Smuggling?

Upgrade io.undertow:undertow-core to version 2.0.34.Final, 2.1.6.Final or higher.

[2.0.30.SP4,2.0.34.Final) [2.1.0,2.1.6.Final)
  • H
HTTP Request Smuggling

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.

How to fix HTTP Request Smuggling?

Upgrade io.undertow:undertow-core to version 2.1.6.Final, 2.0.34.Final or higher.

[2.1.0.Final,2.1.6.Final) [,2.0.34.Final)