Description
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1901304
Scores
CVSS v3
7.5
EPSS
0.0018
EPSS Percentile
39.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (7)
io.undertow/undertow-core
2.1.0 - 2.1.5Maven
redhat/jboss_fuse
6.0.0
redhat/jboss_fuse
7.0.0
redhat/openshift_application_runtimes
redhat/undertow
2.0.33 sp2
redhat/undertow
2.1.5 sp1
redhat/undertow
2.2.3 sp1
Published
Feb 23, 2021
Tracked Since
Feb 18, 2026