io.undertow:undertow-servlet 2.0.30.Final vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the io.undertow:undertow-servlet package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M NULL Pointer Dereference io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to NULL Pointer Dereference. NullPointerException occurred if a servlet calls `HttpServletRequest#getContextPath()` while EAP was shutting down. How to fix NULL Pointer Dereference? Upgrade `io.undertow:undertow-servlet` to version 2.0.34.Final, 2.1.6.Final, 2.2.4.Final or higher.	[0,2.0.34.Final)[2.1.0.Final,2.1.6.Final)[2.2.0.Final,2.2.4.Final)
H Denial of Service (DoS) io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to Denial of Service (DoS). Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters. How to fix Denial of Service (DoS)? Upgrade `io.undertow:undertow-servlet` to version 2.0.33.Final, 2.1.5.Final, 2.2.3.Final or higher.	[,2.0.33.Final)[2.1.0.Final,2.1.5.Final)[2.2.0.Final,2.2.3.Final)
M Security Bypass io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow Affected versions of this package are vulnerable to Security Bypass. The `servletPath` is normalized by the Servlet container, and truncated after the semicolon, leading to a partial `servletPath`. Leading to a full path `/api/public/aa/secret` and `servletPath` `/api/public/aa` leading to application mapping `/secret`. This can lead to a security bypass depending on where and how URL-based security is applied. How to fix Security Bypass? Upgrade `io.undertow:undertow-servlet` to version 2.1.0.Final or higher.	[,2.1.0.Final)

Vulnerability

Vulnerable Version

NULL Pointer Dereference

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to NULL Pointer Dereference. NullPointerException occurred if a servlet calls HttpServletRequest#getContextPath() while EAP was shutting down.

How to fix NULL Pointer Dereference?

Upgrade io.undertow:undertow-servlet to version 2.0.34.Final, 2.1.6.Final, 2.2.4.Final or higher.

[0,2.0.34.Final)[2.1.0.Final,2.1.6.Final)[2.2.0.Final,2.2.4.Final)

Denial of Service (DoS)

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to Denial of Service (DoS). Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters.

How to fix Denial of Service (DoS)?

Upgrade io.undertow:undertow-servlet to version 2.0.33.Final, 2.1.5.Final, 2.2.3.Final or higher.

[,2.0.33.Final)[2.1.0.Final,2.1.5.Final)[2.2.0.Final,2.2.3.Final)

Security Bypass

io.undertow:undertow-servlet is a Servlet 4.0 implementation for Undertow

Affected versions of this package are vulnerable to Security Bypass. The servletPath is normalized by the Servlet container, and truncated after the semicolon, leading to a partial servletPath. Leading to a full path /api/public/aa/secret and servletPath /api/public/aa leading to application mapping /secret. This can lead to a security bypass depending on where and how URL-based security is applied.

How to fix Security Bypass?

Upgrade io.undertow:undertow-servlet to version 2.1.0.Final or higher.

[,2.1.0.Final)

io.undertow:undertow-servlet@2.0.30.Final vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically