OESA-2021-1422

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)(CVE-2019-3888)

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.(CVE-2020-10705)

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.(CVE-2020-10719)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / undertow

Package

Name: undertow
Purl: pkg:rpm/openEuler/undertow&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0-4.oe1

Ecosystem specific

{
    "noarch": [
        "undertow-1.4.0-4.oe1.noarch.rpm",
        "undertow-javadoc-1.4.0-4.oe1.noarch.rpm"
    ],
    "src": [
        "undertow-1.4.0-4.oe1.src.rpm"
    ]
}

openEuler:20.03-LTS-SP2 / undertow

Package

Name: undertow
Purl: pkg:rpm/openEuler/undertow&distro=openEuler-20.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0-4.oe1

Ecosystem specific

{
    "noarch": [
        "undertow-1.4.0-4.oe1.noarch.rpm",
        "undertow-javadoc-1.4.0-4.oe1.noarch.rpm"
    ],
    "src": [
        "undertow-1.4.0-4.oe1.src.rpm"
    ]
}