A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.
A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-1745
### Vulnerable Library - undertow-core-2.0.28.Final.jarUndertow
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy: - spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library) - :x: **undertow-core-2.0.28.Final.jar** (Vulnerable Library)
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.idor.IDORViewOtherProfile (Application) -> io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism$FormResponseWrapper (Extension) -> io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism (Extension) -> io.undertow.servlet.core.DeploymentManagerImpl$1 (Extension) ... -> io.undertow.servlet.handlers.ServletInitialHandler$MockServerConnection (Extension) -> org.xnio.XnioIoThread (Extension) -> ❌ io.undertow.server.protocol.ajp.AjpOpenListener (Vulnerable Component) ``` ### Vulnerability DetailsA file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
Publish Date: 2020-04-28
URL: CVE-2020-1745
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1745
Release Date: 2020-04-28
Fix Resolution (io.undertow:undertow-core): 2.0.30.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.6.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-1757
### Vulnerable Library - undertow-core-2.0.28.Final.jarUndertow
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy: - spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library) - :x: **undertow-core-2.0.28.Final.jar** (Vulnerable Library)
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.crypto.HashingAssignment (Application) -> io.undertow.servlet.spec.HttpSessionImpl (Extension) -> io.undertow.servlet.spec.ServletContextImpl (Extension) -> io.undertow.Handlers (Extension) ... -> io.undertow.server.handlers.proxy.SimpleProxyClientProvider (Extension) -> io.undertow.client.http.HttpClientConnection (Extension) -> ❌ io.undertow.server.Connectors (Vulnerable Component) ``` ### Vulnerability DetailsA flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
Publish Date: 2020-04-21
URL: CVE-2020-1757
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1757
Release Date: 2020-04-30
Fix Resolution (io.undertow:undertow-core): 2.0.30.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.6.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-27782
### Vulnerable Library - undertow-core-2.0.28.Final.jarUndertow
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy: - spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library) - :x: **undertow-core-2.0.28.Final.jar** (Vulnerable Library)
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.idor.IDORViewOtherProfile (Application) -> io.undertow.servlet.spec.HttpServletResponseImpl (Extension) -> io.undertow.servlet.spec.HttpServletRequestImpl (Extension) -> org.xnio.XnioIoThread (Extension) ... -> io.undertow.server.handlers.resource.ResourceHandler (Extension) -> io.undertow.server.handlers.resource.ResourceHandler$Wrapper (Extension) -> ❌ io.undertow.server.handlers.resource.PathResourceManager (Vulnerable Component) ``` ### Vulnerability DetailsA flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.
Publish Date: 2021-02-23
URL: CVE-2020-27782
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rhcw-wjcm-9h6g
Release Date: 2021-02-23
Fix Resolution (io.undertow:undertow-core): 2.0.33.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.12.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-10705
### Vulnerable Library - undertow-core-2.0.28.Final.jarUndertow
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy: - spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library) - :x: **undertow-core-2.0.28.Final.jar** (Vulnerable Library)
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.crypto.HashingAssignment (Application) -> io.undertow.servlet.spec.HttpServletRequestImpl (Extension) -> ❌ io.undertow.server.HttpServerExchange (Vulnerable Component) ``` ### Vulnerability DetailsA flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.
Publish Date: 2020-06-10
URL: CVE-2020-10705
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10705
Release Date: 2020-06-10
Fix Resolution (io.undertow:undertow-core): 2.0.31.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.10.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-10719
### Vulnerable Library - undertow-core-2.0.28.Final.jarUndertow
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy: - spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library) - :x: **undertow-core-2.0.28.Final.jar** (Vulnerable Library)
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.idor.IDORViewOtherProfile (Application) -> io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism$FormResponseWrapper (Extension) -> io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism (Extension) -> io.undertow.server.protocol.http.HttpOpenListener (Extension) ... -> io.undertow.server.protocol.http.HttpTransferEncoding (Extension) -> io.undertow.conduits.PreChunkedStreamSinkConduit (Extension) -> ❌ io.undertow.conduits.ChunkReader (Vulnerable Component) ``` ### Vulnerability DetailsA flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
Publish Date: 2020-05-26
URL: CVE-2020-10719
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10719
Release Date: 2020-05-26
Fix Resolution (io.undertow:undertow-core): 2.0.31.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.10.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-20220
### Vulnerable Library - undertow-core-2.0.28.Final.jarUndertow
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy: - spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library) - :x: **undertow-core-2.0.28.Final.jar** (Vulnerable Library)
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.idor.IDORViewOtherProfile (Application) -> org.eclipse.jetty.security.authentication.DeferredAuthentication$1 (Extension) -> org.eclipse.jetty.security.authentication.DeferredAuthentication (Extension) -> io.undertow.servlet.core.DeploymentManagerImpl (Extension) ... -> io.undertow.server.handlers.proxy.ProxyHandler (Extension) -> io.undertow.server.protocol.http2.Http2ServerConnection (Extension) -> ❌ io.undertow.server.protocol.http2.Http2ReceiveListener (Vulnerable Component) ``` ### Vulnerability DetailsA flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2021-02-23
URL: CVE-2021-20220
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-qjwc-v72v-fq6r
Release Date: 2021-02-23
Fix Resolution (io.undertow:undertow-core): 2.0.34.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.3.0.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-10687
### Vulnerable Library - undertow-core-2.0.28.Final.jarUndertow
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy: - spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library) - :x: **undertow-core-2.0.28.Final.jar** (Vulnerable Library)
Found in HEAD commit: f0c1d123bb3375482e903c0febdd18513fb47ec8
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.idor.IDORViewOtherProfile (Application) -> org.eclipse.jetty.security.authentication.DeferredAuthentication$1 (Extension) -> org.eclipse.jetty.security.authentication.DeferredAuthentication (Extension) -> io.undertow.servlet.core.DeploymentManagerImpl (Extension) ... -> io.undertow.server.handlers.proxy.ProxyHandler (Extension) -> io.undertow.server.protocol.http2.Http2ServerConnection (Extension) -> ❌ io.undertow.server.protocol.http2.Http2ReceiveListener (Vulnerable Component) ``` ### Vulnerability DetailsA flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
Publish Date: 2020-09-23
URL: CVE-2020-10687
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1785049
Release Date: 2020-09-23
Fix Resolution (io.undertow:undertow-core): 2.1.5.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.3.7.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.