io.undertow:undertow-servlet 1.0.0.CR5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the io.undertow:undertow-servlet package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Memory Allocation with Excessive Size Value io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value due to improper `@MultipartConfig` annotation handling for very large multipart content. Note: If the server uses `fileSizeThreshold` to limit the file size, it's possible to bypass the limit by setting the file name in the request to null. How to fix Memory Allocation with Excessive Size Value? Upgrade `io.undertow:undertow-servlet` to version 2.2.25.Final, 2.3.7.Final or higher.	[,2.2.25.Final)[2.3.0,2.3.7.Final)
M NULL Pointer Dereference io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to NULL Pointer Dereference. NullPointerException occurred if a servlet calls `HttpServletRequest#getContextPath()` while EAP was shutting down. How to fix NULL Pointer Dereference? Upgrade `io.undertow:undertow-servlet` to version 2.0.34.Final, 2.1.6.Final, 2.2.4.Final or higher.	[0,2.0.34.Final)[2.1.0.Final,2.1.6.Final)[2.2.0.Final,2.2.4.Final)
H Denial of Service (DoS) io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to Denial of Service (DoS). Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters. How to fix Denial of Service (DoS)? Upgrade `io.undertow:undertow-servlet` to version 2.0.33.Final, 2.1.5.Final, 2.2.3.Final or higher.	[,2.0.33.Final)[2.1.0.Final,2.1.5.Final)[2.2.0.Final,2.2.3.Final)
M Security Bypass io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to Security Bypass. The `servletPath` is normalized by the Servlet container, and truncated after the semicolon, leading to a partial `servletPath`. Leading to a full path `/api/public/aa/secret` and `servletPath` `/api/public/aa` leading to application mapping `/secret`. This can lead to a security bypass depending on where and how URL-based security is applied. How to fix Security Bypass? Upgrade `io.undertow:undertow-servlet` to version 2.1.0.Final or higher.	[,2.1.0.Final)
H Information Exposure io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to Information Exposure. Web apps may have their directory structures predicted through requests without trailing slashes via the api. How to fix Information Exposure? Upgrade `io.undertow:undertow-servlet` to version 2.0.23.Final or higher.	[,2.0.23.Final)

Vulnerability

Vulnerable Version

Memory Allocation with Excessive Size Value

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value due to improper @MultipartConfig annotation handling for very large multipart content.

Note: If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

How to fix Memory Allocation with Excessive Size Value?

Upgrade io.undertow:undertow-servlet to version 2.2.25.Final, 2.3.7.Final or higher.

[,2.2.25.Final)[2.3.0,2.3.7.Final)

NULL Pointer Dereference

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to NULL Pointer Dereference. NullPointerException occurred if a servlet calls HttpServletRequest#getContextPath() while EAP was shutting down.

How to fix NULL Pointer Dereference?

Upgrade io.undertow:undertow-servlet to version 2.0.34.Final, 2.1.6.Final, 2.2.4.Final or higher.

[0,2.0.34.Final)[2.1.0.Final,2.1.6.Final)[2.2.0.Final,2.2.4.Final)

Denial of Service (DoS)

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to Denial of Service (DoS). Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-servlet to version 2.0.33.Final, 2.1.5.Final, 2.2.3.Final or higher.

[,2.0.33.Final)[2.1.0.Final,2.1.5.Final)[2.2.0.Final,2.2.3.Final)

Security Bypass

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to Security Bypass. The servletPath is normalized by the Servlet container, and truncated after the semicolon, leading to a partial servletPath. Leading to a full path /api/public/aa/secret and servletPath /api/public/aa leading to application mapping /secret. This can lead to a security bypass depending on where and how URL-based security is applied.

How to fix Security Bypass?

Upgrade io.undertow:undertow-servlet to version 2.1.0.Final or higher.

[,2.1.0.Final)

Information Exposure

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to Information Exposure. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

How to fix Information Exposure?

Upgrade io.undertow:undertow-servlet to version 2.0.23.Final or higher.

[,2.0.23.Final)

io.undertow:undertow-servlet@1.0.0.CR5 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?