Maven package
org.jboss.eap/wildfly-undertow
pkg:maven/org.jboss.eap/wildfly-undertow
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-1067 | Med | 6.1 | < 7.1.2.GA | 7.1.2.GA | May 21, 2018 | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input | |
| CVE-2018-1048 | Hig | 7.5 | >= 7.1.0.GA, < 7.1.1.GA | 7.1.1.GA | Jan 24, 2018 | It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbi |
- affected < 7.1.2.GAfixed 7.1.2.GA
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input
- affected >= 7.1.0.GA, < 7.1.1.GAfixed 7.1.1.GA
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbi