Page 3 of 26 results (0.023 seconds)

CVSS: 5.8EPSS: 0%CPEs: 13EXPL: 0

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. Se detectó un fallo en todas las versiones de Undertow versiones anteriores a Undertow 2.2.0.Final, donde el tráfico malicioso de peticiones HTTP relacionado a CVE-2017-2666, es posible contra HTTP/1.x y HTTP/2 debido a que permite caracteres no válidos en una petición HTTP. Este fallo permite a un atacante envenenar una caché web, llevar a cabo un ataque de tipo XSS y obtener información confidencial de una petición distinta a la suya A flaw was discovered in Undertow where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. • https://bugzilla.redhat.com/show_bug.cgi?id=1785049 https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c%40%3Cdev.cxf.apache.org%3E https://security.netapp.com/advisory/ntap-20220210-0015 https://access.redhat.com/security/cve/CVE-2020-10687 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0

A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable. Se encontró una falla en Undertow al usar Remoting como se envió en Red Hat Jboss EAP anterior a la versión 7.2.4. Una filtrado de memoria en HttpOpenListener debido a mantener conexiones remotas indefinidamente puede conllevar a una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1780445 https://issues.redhat.com/browse/JBEAP-16695 https://security.netapp.com/advisory/ntap-20220211-0002 https://access.redhat.com/security/cve/CVE-2019-19343 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service. Se detectó una fallo en Undertow versiones anteriores a Undertow 2.1.1.Final, donde ciertas peticiones al encabezado "Expect: 100-continue" pueden causar un error de falta de memoria. Este defecto puede conllevar potencialmente a una denegación de servicio A flaw was discovered in Undertow where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service. • https://bugzilla.redhat.com/show_bug.cgi?id=1803241 https://security.netapp.com/advisory/ntap-20220210-0014 https://access.redhat.com/security/cve/CVE-2020-10705 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 6.5EPSS: 0%CPEs: 24EXPL: 0

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. Se detectó un fallo en Undertow en versiones anteriores a 2.1.1.Final, con respecto al procesamiento de peticiones HTTP no válidas con tamaños de fragmentos grandes. Este fallo permite a un atacante tomar ventaja del tráfico no autorizado de peticiones HTTP. A flaw was found in Undertow, regarding the processing of invalid HTTP requests with large chunk sizes. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719 https://security.netapp.com/advisory/ntap-20220210-0014 https://access.redhat.com/security/cve/CVE-2020-10719 https://bugzilla.redhat.com/show_bug.cgi?id=1828459 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. Se encontró un fallo en todas las versiones undertow-2.x.x SP1 anteriores a undertow-2.0.30.SP1, en todas las versiones undertow-1.x.x y versiones undertow-2.x.x anteriores a undertow-2.1.0.Final, donde el contenedor de servlets causa que servletPath se normalice incorrectamente al truncar la ruta después del punto y coma, lo que puede conllevar a un mapeo de la aplicación resultando en la omisión de la seguridad. A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-1757 https://bugzilla.redhat.com/show_bug.cgi?id=1752770 • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •