io.undertow:undertow-core@2.3.13.Final vulnerabilities

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Race Condition due to the reuse of the StringBuilder instance in the ProxyProtocolReadListener across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the StringBuilder.

This vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

Upgrade io.undertow:undertow-core to version 2.2.36.Final, 2.3.17.Final or higher.

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Memory Leak when the learning-push handler is configured with the default maxAge of -1. An attacker who can send normal HTTP requests may consume excessive memory.

Upgrade io.undertow:undertow-core to version 2.2.37.Final, 2.3.18.Final or higher.

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption through the handling of URL-encoded request path information on ajp-listener. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.

Upgrade io.undertow:undertow-core to version 2.2.33.Final, 2.3.14.Final or higher.

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to insufficient limitations on the amount of CONTINUATION frames that can be sent within a single stream. An attacker can use up compute or memory resources to cause a disruption in service by sending packets to vulnerable servers.

Upgrade io.undertow:undertow-core to version 2.2.33.Final, 2.3.14.Final or higher.