A flaw was found in Undertow versions through 2.2.17.Final and 2.3.0.Alpha1. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by "CPING" since it reads in the second "SEND_HEADERS" response packet instead of a "CPONG".
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Description
A flaw was found in Undertow versions through 2.2.17.Final and 2.3.0.Alpha1. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by "CPING" since it reads in the second "SEND_HEADERS" response packet instead of a "CPONG".
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Vulnerability ID: CVE-2022-1319
Package Name: io.undertow:undertow-core
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2022-08-31T16:15:00
Current Package Version: 2.0.9.Final
Remediation Upgrade Recommendation: 2.3.16.SP1-redhat-00001
Link To SCA
Reference – NVD link