io.undertow:undertow-core@2.3.16.Final vulnerabilities

latest version

2.3.18.Final
latest non vulnerable version

2.3.18.Final
first published

12 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [1.0.0.Alpha1,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the io.undertow:undertow-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Race Condition io.undertow:undertow-core is a Java web server based on non-blocking IO. Affected versions of this package are vulnerable to Race Condition due to the reuse of the `StringBuilder` instance in the `ProxyProtocolReadListener` across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the `StringBuilder`. This vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. How to fix Race Condition? Upgrade `io.undertow:undertow-core` to version 2.2.36.Final, 2.3.17.Final or higher.	[,2.2.36.Final) [2.3.0.Alpha1,2.3.17.Final)
L Memory Leak io.undertow:undertow-core is a Java web server based on non-blocking IO. Affected versions of this package are vulnerable to Memory Leak when the `learning-push` handler is configured with the default `maxAge` of `-1`. An attacker who can send normal HTTP requests may consume excessive memory. How to fix Memory Leak? Upgrade `io.undertow:undertow-core` to version 2.2.37.Final, 2.3.18.Final or higher.	[,2.2.37.Final) [2.3.0.Alpha1,2.3.18.Final)

Race Condition

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Race Condition due to the reuse of the StringBuilder instance in the ProxyProtocolReadListener across multiple requests. An attacker can access data from previous requests or responses by exploiting the shared usage of the StringBuilder.

This vulnerability primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

How to fix Race Condition?

Upgrade io.undertow:undertow-core to version 2.2.36.Final, 2.3.17.Final or higher.

[,2.2.36.Final) [2.3.0.Alpha1,2.3.17.Final)

Memory Leak

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Memory Leak when the learning-push handler is configured with the default maxAge of -1. An attacker who can send normal HTTP requests may consume excessive memory.

How to fix Memory Leak?

Upgrade io.undertow:undertow-core to version 2.2.37.Final, 2.3.18.Final or higher.

[,2.2.37.Final) [2.3.0.Alpha1,2.3.18.Final)

Go back to all versions of this package

io.undertow:undertow-core@2.3.16.Final vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities