CVE-2018-14642

MEDIUM

Undertow < 2.0.19.FINAL - Information Disclosure via Write Buffer Flush

Title source: llm
STIX 2.1

Description

An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.

References (9)

Core 9
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14642
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0364
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0362
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0365
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0380
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1107
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1108
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1106
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1140

Scores

CVSS v3 5.3
EPSS 0.0211
EPSS Percentile 79.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (5)
io.undertow/undertow-core 0 - 2.0.19.FINALMaven
redhat/jboss_enterprise_application_platform 7.1
redhat/jboss_enterprise_application_platform 7.2
redhat/jboss_enterprise_application_platform 7.3
redhat/undertow
Published Sep 18, 2018
Tracked Since Feb 18, 2026