| 0 |
|
| 1 |
|
| 2 |
| url |
VCID-7afz-fgkz-f3fd |
| vulnerability_id |
VCID-7afz-fgkz-f3fd |
| summary |
Information Exposure
An information leak vulnerability was found in Undertow. If all headers are not written out in the first `write()` call, the code that handles flushing the buffer will always write out the full contents of the `writevBuffer` buffer, which may contain data from previous requests. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-14642, GHSA-vf6r-mmhc-3xcm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7afz-fgkz-f3fd |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| url |
VCID-ehrd-7nff-ryh9 |
| vulnerability_id |
VCID-ehrd-7nff-ryh9 |
| summary |
Information Exposure
An information exposure of plain text credentials through log files because `Connectors.executeRootHandler:402` logs the `HttpServerExchange` object at `ERROR` level using `UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t,exchange)`. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-3888, GHSA-jwgx-9mmh-684w
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ehrd-7nff-ryh9 |
|
| 9 |
| url |
VCID-fx5j-2na1-hfcu |
| vulnerability_id |
VCID-fx5j-2na1-hfcu |
| summary |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)
It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/io.undertow/undertow-core@1.3.31.Final |
| purl |
pkg:maven/io.undertow/undertow-core@1.3.31.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2nyw-aps1-s3ft |
|
| 1 |
| vulnerability |
VCID-4b3a-8rvb-ckfv |
|
| 2 |
| vulnerability |
VCID-7afz-fgkz-f3fd |
|
| 3 |
| vulnerability |
VCID-8tag-j15y-s3bv |
|
| 4 |
| vulnerability |
VCID-91gu-393b-qfhn |
|
| 5 |
| vulnerability |
VCID-9cfx-e4jz-h7c1 |
|
| 6 |
| vulnerability |
VCID-ctza-pmb9-zybt |
|
| 7 |
| vulnerability |
VCID-d135-ye4c-57ec |
|
| 8 |
| vulnerability |
VCID-ehrd-7nff-ryh9 |
|
| 9 |
| vulnerability |
VCID-gncz-crbm-fqfn |
|
| 10 |
| vulnerability |
VCID-jrdf-tcdd-nkf4 |
|
| 11 |
| vulnerability |
VCID-nvjn-mxfy-rkcc |
|
| 12 |
| vulnerability |
VCID-rcwt-72ce-kbhj |
|
| 13 |
| vulnerability |
VCID-rgf5-5djc-fkcx |
|
| 14 |
| vulnerability |
VCID-s4zw-6yd3-qfb7 |
|
| 15 |
| vulnerability |
VCID-tbh6-rhwv-wfcm |
|
| 16 |
| vulnerability |
VCID-ug8z-4ece-hfdw |
|
| 17 |
| vulnerability |
VCID-ww1g-jbj2-2ubu |
|
| 18 |
| vulnerability |
VCID-xyjb-bxjg-2ye3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/io.undertow/undertow-core@1.3.31.Final |
|
| 2 |
|
| 3 |
| url |
pkg:maven/io.undertow/undertow-core@1.4.17.Final |
| purl |
pkg:maven/io.undertow/undertow-core@1.4.17.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2nyw-aps1-s3ft |
|
| 1 |
| vulnerability |
VCID-4b3a-8rvb-ckfv |
|
| 2 |
| vulnerability |
VCID-7afz-fgkz-f3fd |
|
| 3 |
| vulnerability |
VCID-8tag-j15y-s3bv |
|
| 4 |
| vulnerability |
VCID-91gu-393b-qfhn |
|
| 5 |
| vulnerability |
VCID-9cfx-e4jz-h7c1 |
|
| 6 |
| vulnerability |
VCID-ctw5-1q7n-b7bk |
|
| 7 |
| vulnerability |
VCID-ctza-pmb9-zybt |
|
| 8 |
| vulnerability |
VCID-d135-ye4c-57ec |
|
| 9 |
| vulnerability |
VCID-ehrd-7nff-ryh9 |
|
| 10 |
| vulnerability |
VCID-gncz-crbm-fqfn |
|
| 11 |
| vulnerability |
VCID-jrdf-tcdd-nkf4 |
|
| 12 |
| vulnerability |
VCID-nvjn-mxfy-rkcc |
|
| 13 |
| vulnerability |
VCID-rcwt-72ce-kbhj |
|
| 14 |
| vulnerability |
VCID-rgf5-5djc-fkcx |
|
| 15 |
| vulnerability |
VCID-s4zw-6yd3-qfb7 |
|
| 16 |
| vulnerability |
VCID-tbh6-rhwv-wfcm |
|
| 17 |
| vulnerability |
VCID-ug8z-4ece-hfdw |
|
| 18 |
| vulnerability |
VCID-ww1g-jbj2-2ubu |
|
| 19 |
| vulnerability |
VCID-xyjb-bxjg-2ye3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/io.undertow/undertow-core@1.4.17.Final |
|
| 4 |
|
| 5 |
| url |
pkg:maven/io.undertow/undertow-core@2.0.1.Final |
| purl |
pkg:maven/io.undertow/undertow-core@2.0.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2nyw-aps1-s3ft |
|
| 1 |
| vulnerability |
VCID-4b3a-8rvb-ckfv |
|
| 2 |
| vulnerability |
VCID-6s8z-yhd9-7bhm |
|
| 3 |
| vulnerability |
VCID-7afz-fgkz-f3fd |
|
| 4 |
| vulnerability |
VCID-8tag-j15y-s3bv |
|
| 5 |
| vulnerability |
VCID-91gu-393b-qfhn |
|
| 6 |
| vulnerability |
VCID-9cfx-e4jz-h7c1 |
|
| 7 |
| vulnerability |
VCID-ctza-pmb9-zybt |
|
| 8 |
| vulnerability |
VCID-d135-ye4c-57ec |
|
| 9 |
| vulnerability |
VCID-ehrd-7nff-ryh9 |
|
| 10 |
| vulnerability |
VCID-gncz-crbm-fqfn |
|
| 11 |
| vulnerability |
VCID-jrdf-tcdd-nkf4 |
|
| 12 |
| vulnerability |
VCID-nvjn-mxfy-rkcc |
|
| 13 |
| vulnerability |
VCID-rcwt-72ce-kbhj |
|
| 14 |
| vulnerability |
VCID-rgf5-5djc-fkcx |
|
| 15 |
| vulnerability |
VCID-s4zw-6yd3-qfb7 |
|
| 16 |
| vulnerability |
VCID-tbh6-rhwv-wfcm |
|
| 17 |
| vulnerability |
VCID-ww1g-jbj2-2ubu |
|
| 18 |
| vulnerability |
VCID-xyjb-bxjg-2ye3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/io.undertow/undertow-core@2.0.1.Final |
|
|
| aliases |
CVE-2017-12165, GHSA-5gg7-5wv8-4gcj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fx5j-2na1-hfcu |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
| url |
VCID-ug8z-4ece-hfdw |
| vulnerability_id |
VCID-ug8z-4ece-hfdw |
| summary |
Path Traversal
The AJP connector in undertow does not use the `ALLOW_ENCODED_SLASH` option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-1048, GHSA-prfw-3qx6-g9xr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ug8z-4ece-hfdw |
|
| 19 |
|
| 20 |
| url |
VCID-xb2n-a5w7-g7cx |
| vulnerability_id |
VCID-xb2n-a5w7-g7cx |
| summary |
Improper Neutralization of CRLF Sequences in HTTP Headers
CRLF injection vulnerability in the Undertow web server allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/io.undertow/undertow-core@1.3.5.Final |
| purl |
pkg:maven/io.undertow/undertow-core@1.3.5.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2nyw-aps1-s3ft |
|
| 1 |
| vulnerability |
VCID-4b3a-8rvb-ckfv |
|
| 2 |
| vulnerability |
VCID-7afz-fgkz-f3fd |
|
| 3 |
| vulnerability |
VCID-8mnx-8nvz-tyda |
|
| 4 |
| vulnerability |
VCID-8tag-j15y-s3bv |
|
| 5 |
| vulnerability |
VCID-91gu-393b-qfhn |
|
| 6 |
| vulnerability |
VCID-9cfx-e4jz-h7c1 |
|
| 7 |
| vulnerability |
VCID-ctza-pmb9-zybt |
|
| 8 |
| vulnerability |
VCID-d135-ye4c-57ec |
|
| 9 |
| vulnerability |
VCID-ehrd-7nff-ryh9 |
|
| 10 |
| vulnerability |
VCID-fx5j-2na1-hfcu |
|
| 11 |
| vulnerability |
VCID-gncz-crbm-fqfn |
|
| 12 |
| vulnerability |
VCID-jrdf-tcdd-nkf4 |
|
| 13 |
| vulnerability |
VCID-nftp-q5a9-eqdn |
|
| 14 |
| vulnerability |
VCID-nvjn-mxfy-rkcc |
|
| 15 |
| vulnerability |
VCID-rcwt-72ce-kbhj |
|
| 16 |
| vulnerability |
VCID-rgf5-5djc-fkcx |
|
| 17 |
| vulnerability |
VCID-s4zw-6yd3-qfb7 |
|
| 18 |
| vulnerability |
VCID-tbh6-rhwv-wfcm |
|
| 19 |
| vulnerability |
VCID-ug8z-4ece-hfdw |
|
| 20 |
| vulnerability |
VCID-ww1g-jbj2-2ubu |
|
| 21 |
| vulnerability |
VCID-xy1a-thk6-5fhz |
|
| 22 |
| vulnerability |
VCID-xyjb-bxjg-2ye3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/io.undertow/undertow-core@1.3.5.Final |
|
| 1 |
|
| 2 |
|
| 3 |
| url |
pkg:maven/io.undertow/undertow-core@2.0.1.Final |
| purl |
pkg:maven/io.undertow/undertow-core@2.0.1.Final |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2nyw-aps1-s3ft |
|
| 1 |
| vulnerability |
VCID-4b3a-8rvb-ckfv |
|
| 2 |
| vulnerability |
VCID-6s8z-yhd9-7bhm |
|
| 3 |
| vulnerability |
VCID-7afz-fgkz-f3fd |
|
| 4 |
| vulnerability |
VCID-8tag-j15y-s3bv |
|
| 5 |
| vulnerability |
VCID-91gu-393b-qfhn |
|
| 6 |
| vulnerability |
VCID-9cfx-e4jz-h7c1 |
|
| 7 |
| vulnerability |
VCID-ctza-pmb9-zybt |
|
| 8 |
| vulnerability |
VCID-d135-ye4c-57ec |
|
| 9 |
| vulnerability |
VCID-ehrd-7nff-ryh9 |
|
| 10 |
| vulnerability |
VCID-gncz-crbm-fqfn |
|
| 11 |
| vulnerability |
VCID-jrdf-tcdd-nkf4 |
|
| 12 |
| vulnerability |
VCID-nvjn-mxfy-rkcc |
|
| 13 |
| vulnerability |
VCID-rcwt-72ce-kbhj |
|
| 14 |
| vulnerability |
VCID-rgf5-5djc-fkcx |
|
| 15 |
| vulnerability |
VCID-s4zw-6yd3-qfb7 |
|
| 16 |
| vulnerability |
VCID-tbh6-rhwv-wfcm |
|
| 17 |
| vulnerability |
VCID-ww1g-jbj2-2ubu |
|
| 18 |
| vulnerability |
VCID-xyjb-bxjg-2ye3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/io.undertow/undertow-core@2.0.1.Final |
|
|
| aliases |
CVE-2016-4993, GHSA-qcqr-hcjq-whfq
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xb2n-a5w7-g7cx |
|
| 21 |
|