CVE-2018-1114

MEDIUM

Undertow < 1.4.25.Final - File Descriptor Leak via URLResource.getLastModified()

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-1114. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only the source code of Undertow, a Java web server, without any exploit code or technical analysis related to CVE-2018-1114. The README provides general information about Undertow but no details about the vulnerability.

Description

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-1114-undertow-vulnerable

The repository contains only the source code of Undertow, a Java web server, without any exploit code or technical analysis related to CVE-2018-1114. The README provides general information about Undertow but no details about the vulnerability.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Undertow (version not specified)
No auth needed
Prerequisites: none
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-1114-undertow-vulnerable

This repository contains the source code of Undertow, a Java web server, with a focus on the vulnerable version affected by CVE-2018-1114. The README provides an overview of Undertow's components, but no explicit exploit code or technical analysis of the vulnerability is included.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Undertow (version not specified)
No auth needed
Prerequisites: Access to the vulnerable Undertow server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1114
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2669
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2643
Issue Tracking, Third Party Advisory x_refsource_misc
https://issues.jboss.org/browse/UNDERTOW-1338
Third Party Advisory x_refsource_misc
https://bugs.openjdk.java.net/browse/JDK-6956385
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0877

Scores

CVSS v3 6.5
EPSS 0.0071
EPSS Percentile 72.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (5)
io.undertow/undertow-core 0 - 1.4.25.FinalMaven
redhat/undertow
redhat/virtualization 4.0
redhat/virtualization 4.2
redhat/virtualization_host 4.0
Published Sep 11, 2018
Tracked Since Feb 18, 2026