{"url":"http://public2.vulnerablecode.io/api/packages/98392?format=json","purl":"pkg:rpm/redhat/eap7-undertow@2.2.19-1.SP2_redhat_00001.1?arch=el7eap","type":"rpm","namespace":"redhat","name":"eap7-undertow","version":"2.2.19-1.SP2_redhat_00001.1","qualifiers":{"arch":"el7eap"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79542?format=json","vulnerability_id":"VCID-62gn-nwup-8uat","summary":"undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1259.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1259.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-1259","reference_id":"","reference_type":"","scores":[{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.5052","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50576","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50604","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50557","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50611","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50608","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50651","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50628","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50614","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50656","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50661","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.5064","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50588","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50596","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.5055","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50473","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50527","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.5051","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50541","published_at":"2026-05-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-1259"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2072339","reference_id":"2072339","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2072339"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2022-1259","reference_id":"CVE-2022-1259","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/CVE-2022-1259"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1259","reference_id":"CVE-2022-1259","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1259"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6821","reference_id":"RHSA-2022:6821","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6821"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6822","reference_id":"RHSA-2022:6822","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6822"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6823","reference_id":"RHSA-2022:6823","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6823"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6825","reference_id":"RHSA-2022:6825","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6825"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8761","reference_id":"RHSA-2022:8761","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8761"}],"fixed_packages":[],"aliases":["CVE-2022-1259"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-62gn-nwup-8uat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53159?format=json","vulnerability_id":"VCID-xftw-raz7-b7e1","summary":"Undertow vulnerable to Dos via Large AJP request\nWhen a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application server updates the server state. So, in the worst case, it can result in \"All workers are in error state\" and mod_cluster responds \"503 Service Unavailable\" for a while (up to 10 seconds). In mod_proxy_balancer, it does not forward requests to the worker until the \"retry\" timeout passes. However, luckily, mod_proxy_balancer has \"forcerecovery\" setting (On by default; this parameter can force the immediate recovery of all workers without considering the retry parameter of the workers if all workers of a balancer are in error state.). So, unlike mod_cluster, mod_proxy_balancer does not result in responding \"503 Service Unavailable\". An attacker could use this behavior to send a malicious request and trigger server errors, resulting in DoS (denial of service). This flaw was fixed in Undertow 2.2.19.Final, Undertow 2.3.0.Alpha2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2053.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2053.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2053","reference_id":"","reference_type":"","scores":[{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.5375","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53763","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53747","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53784","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53788","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53771","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53736","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53748","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53714","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53664","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53762","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53725","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53682","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53709","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53681","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53733","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.53731","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00305","scoring_system":"epss","scoring_elements":"0.5378","published_at":"2026-04-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2053"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2095862&comment#0"},{"reference_url":"https://github.com/undertow-io/undertow","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/undertow-io/undertow"},{"reference_url":"https://github.com/undertow-io/undertow/pull/1350","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/undertow-io/undertow/pull/1350"},{"reference_url":"https://issues.redhat.com/browse/UNDERTOW-2133","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.redhat.com/browse/UNDERTOW-2133"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2053","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2053"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2095862","reference_id":"2095862","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2095862"},{"reference_url":"https://github.com/advisories/GHSA-95rf-557x-44g5","reference_id":"GHSA-95rf-557x-44g5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95rf-557x-44g5"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6821","reference_id":"RHSA-2022:6821","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6821"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6822","reference_id":"RHSA-2022:6822","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6822"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6823","reference_id":"RHSA-2022:6823","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6823"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:6825","reference_id":"RHSA-2022:6825","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:6825"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8652","reference_id":"RHSA-2022:8652","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8652"}],"fixed_packages":[],"aliases":["CVE-2022-2053","GHSA-95rf-557x-44g5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xftw-raz7-b7e1"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/eap7-undertow@2.2.19-1.SP2_redhat_00001.1%3Farch=el7eap"}