VulnerableCode Package Details - pkg:deb/debian/undertow@1.4.25-1?distro=sid

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2ez8-r9wv-53du	undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.	CVE-2017-12196 GHSA-cp7v-vmv7-6x2q
VCID-7ec2-9kmy-77eh	It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.	CVE-2018-1114 GHSA-gjjx-gqm4-wcgm
VCID-bm42-byxp-2kb5	In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.	CVE-2018-1067 GHSA-47mp-rq2x-wjf2

Vulnerability

Summary

Aliases

VCID-2ez8-r9wv-53du

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

CVE-2017-12196
GHSA-cp7v-vmv7-6x2q

VCID-7ec2-9kmy-77eh

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.

CVE-2018-1114
GHSA-gjjx-gqm4-wcgm

VCID-bm42-byxp-2kb5

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

CVE-2018-1067
GHSA-47mp-rq2x-wjf2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:06:50.767432+00:00	Debian Importer	Fixing	VCID-2ez8-r9wv-53du	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:35:02.674779+00:00	Debian Importer	Fixing	VCID-bm42-byxp-2kb5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:35:37.419118+00:00	Debian Importer	Fixing	VCID-7ec2-9kmy-77eh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T09:01:04.324037+00:00	Debian Importer	Fixing	VCID-2ez8-r9wv-53du	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:53:50.340004+00:00	Debian Importer	Fixing	VCID-bm42-byxp-2kb5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:09:28.512897+00:00	Debian Importer	Fixing	VCID-7ec2-9kmy-77eh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:55:44.936787+00:00	Debian Importer	Fixing	VCID-7ec2-9kmy-77eh	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:44.911490+00:00	Debian Importer	Fixing	VCID-bm42-byxp-2kb5	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:44.785880+00:00	Debian Importer	Fixing	VCID-2ez8-r9wv-53du	https://security-tracker.debian.org/tracker/data/json	38.1.0