Homepage

io.undertow:undertow-servlet@1.0.0.Final vulnerabilities

  • latest version

    2.3.18.Final

  • latest non vulnerable version

    2.3.18.Final

  • first published

    11 years ago

  • latest version published

    2 months ago

  • licenses detected

  • package manager

    View on Maven Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the io.undertow:undertow-servlet package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Memory Allocation with Excessive Size Value

    io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

    Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value due to improper @MultipartConfig annotation handling for very large multipart content.

    Note: If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

    How to fix Memory Allocation with Excessive Size Value?

    Upgrade io.undertow:undertow-servlet to version 2.2.25.Final, 2.3.7.Final or higher.

    [,2.2.25.Final)[2.3.0,2.3.7.Final)
    • M
    NULL Pointer Dereference

    io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

    Affected versions of this package are vulnerable to NULL Pointer Dereference. NullPointerException occurred if a servlet calls HttpServletRequest#getContextPath() while EAP was shutting down.

    How to fix NULL Pointer Dereference?

    Upgrade io.undertow:undertow-servlet to version 2.0.34.Final, 2.1.6.Final, 2.2.4.Final or higher.

    [0,2.0.34.Final)[2.1.0.Final,2.1.6.Final)[2.2.0.Final,2.2.4.Final)
    • H
    Denial of Service (DoS)

    io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

    Affected versions of this package are vulnerable to Denial of Service (DoS). Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters.

    How to fix Denial of Service (DoS)?

    Upgrade io.undertow:undertow-servlet to version 2.0.33.Final, 2.1.5.Final, 2.2.3.Final or higher.

    [,2.0.33.Final)[2.1.0.Final,2.1.5.Final)[2.2.0.Final,2.2.3.Final)
    • M
    Security Bypass

    io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

    Affected versions of this package are vulnerable to Security Bypass. The servletPath is normalized by the Servlet container, and truncated after the semicolon, leading to a partial servletPath. Leading to a full path /api/public/aa/secret and servletPath /api/public/aa leading to application mapping /secret. This can lead to a security bypass depending on where and how URL-based security is applied.

    How to fix Security Bypass?

    Upgrade io.undertow:undertow-servlet to version 2.1.0.Final or higher.

    [,2.1.0.Final)
    • H
    Information Exposure

    io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

    Affected versions of this package are vulnerable to Information Exposure. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

    How to fix Information Exposure?

    Upgrade io.undertow:undertow-servlet to version 2.0.23.Final or higher.

    [,2.0.23.Final)
    • M
    Directory Traversal

    io.undertow:undertow-servlet Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.

    [1.0.0.Final,1.0.16.Final)
    Go back to all versions of this package