Search for packages
| purl | pkg:rpm/redhat/eap7-undertow@1.4.18-12.SP12_redhat_00001.1.ep7?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-aqt5-2ffy-9bgs
Aliases: CVE-2019-9515 |
HTTP/2: flood using SETTINGS frames results in unbounded memory growth | There are no reported fixed by versions. |
|
VCID-dmv4-ydq9-a7eq
Aliases: CVE-2019-9511 |
Excessive CPU usage in HTTP/2 with small window updates | There are no reported fixed by versions. |
|
VCID-dvxb-wu3m-xuaz
Aliases: CVE-2020-1745 GHSA-gv2w-88hx-8m9r |
Improper Authorization in Undertoe A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution. | There are no reported fixed by versions. |
|
VCID-hbte-dsw2-y7ad
Aliases: CVE-2019-9512 GHSA-hgr8-6h9x-f7q9 |
golang.org/x/net/http vulnerable to ping floods Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. ### Specific Go Packages Affected golang.org/x/net/http2 | There are no reported fixed by versions. |
|
VCID-n66u-b73u-zucb
Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f |
golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. ### Specific Go Packages Affected golang.org/x/net/http2 | There are no reported fixed by versions. |
|
VCID-nrk8-v4zp-6ubx
Aliases: CVE-2020-1710 |
EAP: field-name is not parsed in accordance to RFC7230 | There are no reported fixed by versions. |
|
VCID-p9y4-yce4-zqbk
Aliases: CVE-2019-14888 GHSA-vjxc-frw4-jmh5 |
Undertow vulnerable to Uncontrolled Resource Consumption A vulnerability was found in the Undertow HTTP server in versions before 2.0.29 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. | There are no reported fixed by versions. |
|
VCID-sxup-wzjc-tue1
Aliases: CVE-2020-1757 GHSA-2w73-fqqj-c92p |
Improper Input Validation in Undertow A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||