VulnerableCode Package Details - pkg:rpm/redhat/eap8-undertow@2.3.11-1.SP1_redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-1vrj-chs2-d3ab Aliases: CVE-2023-1973 GHSA-97cq-f4jm-mv8h	Undertow Denial of Service vulnerability A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory.	There are no reported fixed by versions.
VCID-2cv5-9v62-kfbm Aliases: CVE-2024-1459 GHSA-v76w-3ph8-vm66	Undertow Path Traversal vulnerability A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.	There are no reported fixed by versions.
VCID-d3ty-z2dg-vka1 Aliases: CVE-2023-4639 GHSA-3jrv-jgp8-45v3	Undertow incorrectly parses cookies A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1vrj-chs2-d3ab
Aliases:
CVE-2023-1973
GHSA-97cq-f4jm-mv8h

Undertow Denial of Service vulnerability A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory.

There are no reported fixed by versions.

VCID-2cv5-9v62-kfbm
Aliases:
CVE-2024-1459
GHSA-v76w-3ph8-vm66

Undertow Path Traversal vulnerability A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

There are no reported fixed by versions.

VCID-d3ty-z2dg-vka1
Aliases:
CVE-2023-4639
GHSA-3jrv-jgp8-45v3

Undertow incorrectly parses cookies A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:50:14.773261+00:00	RedHat Importer	Affected by	VCID-2cv5-9v62-kfbm	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1459.json	38.0.0
2026-04-01T13:49:58.611728+00:00	RedHat Importer	Affected by	VCID-d3ty-z2dg-vka1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-4639.json	38.0.0
2026-04-01T13:48:26.752397+00:00	RedHat Importer	Affected by	VCID-1vrj-chs2-d3ab	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-1973.json	38.0.0