io.undertow:undertow-core 2.3.24.Final

Direct Vulnerabilities

Known vulnerabilities in the io.undertow:undertow-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H HTTP Request Smuggling io.undertow:undertow-core is a Java web server based on non-blocking IO. Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect handling of white-spaces in HTTP request headers. An attacker can gain unauthorized access to restricted information or perform unauthorized actions by sending specially crafted HTTP requests with leading spaces in the first header line. How to fix HTTP Request Smuggling? There is no fixed version for `io.undertow:undertow-core`.	[0,)
H HTTP Request Smuggling io.undertow:undertow-core is a Java web server based on non-blocking IO. Affected versions of this package are vulnerable to HTTP Request Smuggling via the proxy server. An attacker can gain unauthorized access or manipulate web requests by sending specially crafted header block terminators (`\r\r\r`) to exploit differences in how certain proxy servers interpret HTTP requests. How to fix HTTP Request Smuggling? There is no fixed version for `io.undertow:undertow-core`.	[0,)
H Allocation of Resources Without Limits or Throttling io.undertow:undertow-core is a Java web server based on non-blocking IO. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `MultiPartParserDefinition` multipart parsing process in `MultiPartParserDefinition.java`. An attacker can cause multipart/form-data content from an HTTP `GET` request to be parsed and prematurely written to disk by sending a request that triggers parameter parsing, such as `getParameterMap()`, leading to resource exhaustion or unwanted persistence of attacker-controlled data. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `io.undertow:undertow-core` to version 2.4.0.Beta1 or higher.	[,2.4.0.Beta1)

Vulnerability

Vulnerable Version

HTTP Request Smuggling

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to incorrect handling of white-spaces in HTTP request headers. An attacker can gain unauthorized access to restricted information or perform unauthorized actions by sending specially crafted HTTP requests with leading spaces in the first header line.

How to fix HTTP Request Smuggling?

There is no fixed version for io.undertow:undertow-core.

[0,)

HTTP Request Smuggling

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the proxy server. An attacker can gain unauthorized access or manipulate web requests by sending specially crafted header block terminators (\r\r\r) to exploit differences in how certain proxy servers interpret HTTP requests.

How to fix HTTP Request Smuggling?

There is no fixed version for io.undertow:undertow-core.

[0,)

Allocation of Resources Without Limits or Throttling

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the MultiPartParserDefinition multipart parsing process in MultiPartParserDefinition.java. An attacker can cause multipart/form-data content from an HTTP GET request to be parsed and prematurely written to disk by sending a request that triggers parameter parsing, such as getParameterMap(), leading to resource exhaustion or unwanted persistence of attacker-controlled data.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade io.undertow:undertow-core to version 2.4.0.Beta1 or higher.

[,2.4.0.Beta1)

io.undertow:undertow-core@2.3.24.Final

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically