Affected versions of this package are vulnerable to Race Condition through the handling of URL-encoded request path information on ajp-listener. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.
Remediation
Upgrade io.undertow:undertow-core to version 2.3.14.Final or higher.
Overview
io.undertow:undertow-core is a Java web server based on non-blocking IO.
Affected versions of this package are vulnerable to Race Condition through the handling of URL-encoded request path information on
ajp-listener. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.Remediation
Upgrade
io.undertow:undertow-coreto version 2.3.14.Final or higher.References