OESA-2025-1257

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1257
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1257.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1257
Upstream
Published
2025-03-07T15:28:00Z
Modified
2025-08-12T05:34:21.001667Z
Summary
undertow security update
Details

Java web server using non-blocking IO

Security Fix(es):

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.(CVE-2017-12196)

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.(CVE-2019-10184)

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.(CVE-2019-10212)

Database specific 
{
    "severity": "Critical"
}
References

Affected packages

openEuler:24.03-LTS-SP1 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-10.oe2403sp1

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-10.oe2403sp1.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-10.oe2403sp1.noarch.rpm",
        "undertow-javadoc-1.4.0-10.oe2403sp1.noarch.rpm"
    ]
}

openEuler:20.03-LTS-SP4 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-9.oe2003sp4

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-9.oe2003sp4.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-9.oe2003sp4.noarch.rpm",
        "undertow-javadoc-1.4.0-9.oe2003sp4.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP3 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-22.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-9.oe2203sp3

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-9.oe2203sp3.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-9.oe2203sp3.noarch.rpm",
        "undertow-javadoc-1.4.0-9.oe2203sp3.noarch.rpm"
    ]
}

openEuler:22.03-LTS-SP4 / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-9.oe2203sp4

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-9.oe2203sp4.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-9.oe2203sp4.noarch.rpm",
        "undertow-javadoc-1.4.0-9.oe2203sp4.noarch.rpm"
    ]
}

openEuler:24.03-LTS / undertow

Package

Name
undertow
Purl
pkg:rpm/openEuler/undertow&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-10.oe2403

Ecosystem specific 

{
    "src": [
        "undertow-1.4.0-10.oe2403sp1.src.rpm",
        "undertow-1.4.0-10.oe2403.src.rpm"
    ],
    "noarch": [
        "undertow-1.4.0-10.oe2403sp1.noarch.rpm",
        "undertow-javadoc-1.4.0-10.oe2403sp1.noarch.rpm",
        "undertow-1.4.0-10.oe2403.noarch.rpm",
        "undertow-javadoc-1.4.0-10.oe2403.noarch.rpm"
    ]
}