Vulnerable Library - spring-boot-starter-undertow-2.2.2.RELEASE.jar
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-starter-undertow version) |
Remediation Possible** |
Reachability |
| CVE-2020-1757 |
 High |
8.1 |
undertow-core-2.0.28.Final.jar |
Transitive |
2.2.6.RELEASE |
✅ |
|
| CVE-2020-27782 |
High |
7.5 |
undertow-core-2.0.28.Final.jar |
Transitive |
2.2.12.RELEASE |
✅ |
|
| CVE-2020-10705 |
High |
7.5 |
undertow-core-2.0.28.Final.jar |
Transitive |
2.2.10.RELEASE |
✅ |
|
| CVE-2020-10719 |
 Medium |
6.5 |
undertow-core-2.0.28.Final.jar |
Transitive |
2.2.10.RELEASE |
✅ |
|
| CVE-2021-20220 |
Medium |
4.8 |
undertow-core-2.0.28.Final.jar |
Transitive |
2.3.0.RELEASE |
✅ |
|
| CVE-2020-10687 |
Medium |
4.8 |
undertow-core-2.0.28.Final.jar |
Transitive |
2.3.7.RELEASE |
✅ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-1757
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
- spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library)
- ❌ undertow-core-2.0.28.Final.jar (Vulnerable Library)
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
Publish Date: 2020-04-21
URL: CVE-2020-1757
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1757
Release Date: 2020-04-30
Fix Resolution (io.undertow:undertow-core): 2.0.30.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.6.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-27782
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
- spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library)
- ❌ undertow-core-2.0.28.Final.jar (Vulnerable Library)
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.
Publish Date: 2021-02-23
URL: CVE-2020-27782
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rhcw-wjcm-9h6g
Release Date: 2021-02-23
Fix Resolution (io.undertow:undertow-core): 2.0.33.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.12.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-10705
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
- spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library)
- ❌ undertow-core-2.0.28.Final.jar (Vulnerable Library)
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.
Publish Date: 2020-06-10
URL: CVE-2020-10705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10705
Release Date: 2020-06-10
Fix Resolution (io.undertow:undertow-core): 2.0.31.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.10.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-10719
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
- spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library)
- ❌ undertow-core-2.0.28.Final.jar (Vulnerable Library)
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
Publish Date: 2020-05-26
URL: CVE-2020-10719
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10719
Release Date: 2020-05-26
Fix Resolution (io.undertow:undertow-core): 2.0.31.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.10.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-20220
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
- spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library)
- ❌ undertow-core-2.0.28.Final.jar (Vulnerable Library)
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2021-02-23
URL: CVE-2021-20220
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qjwc-v72v-fq6r
Release Date: 2021-02-23
Fix Resolution (io.undertow:undertow-core): 2.0.34.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.3.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-10687
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
- spring-boot-starter-undertow-2.2.2.RELEASE.jar (Root Library)
- ❌ undertow-core-2.0.28.Final.jar (Vulnerable Library)
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
Publish Date: 2020-09-23
URL: CVE-2020-10687
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1785049
Release Date: 2020-09-23
Fix Resolution (io.undertow:undertow-core): 2.1.5.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.3.7.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /webgoat-container/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
Publish Date: 2020-04-21
URL: CVE-2020-1757
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1757
Release Date: 2020-04-30
Fix Resolution (io.undertow:undertow-core): 2.0.30.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.6.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.
Publish Date: 2021-02-23
URL: CVE-2020-27782
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rhcw-wjcm-9h6g
Release Date: 2021-02-23
Fix Resolution (io.undertow:undertow-core): 2.0.33.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.12.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.
Publish Date: 2020-06-10
URL: CVE-2020-10705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10705
Release Date: 2020-06-10
Fix Resolution (io.undertow:undertow-core): 2.0.31.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.10.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
Publish Date: 2020-05-26
URL: CVE-2020-10719
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10719
Release Date: 2020-05-26
Fix Resolution (io.undertow:undertow-core): 2.0.31.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.2.10.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2021-02-23
URL: CVE-2021-20220
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qjwc-v72v-fq6r
Release Date: 2021-02-23
Fix Resolution (io.undertow:undertow-core): 2.0.34.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.3.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - undertow-core-2.0.28.Final.jar
Undertow
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.0.28.Final/undertow-core-2.0.28.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d009fa7fce1dede0a3ec27d4e5deb31ab5da228b
Found in base branch: master
Vulnerability Details
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
Publish Date: 2020-09-23
URL: CVE-2020-10687
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1785049
Release Date: 2020-09-23
Fix Resolution (io.undertow:undertow-core): 2.1.5.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.3.7.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.