Skip to content

Comments

[Snyk] Security upgrade io.undertow:undertow-core from 2.0.9.Final to 2.2.27.Final#45

Open
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-e15e2edf34f5d8db580ae10ad7ed2e2e
Open

[Snyk] Security upgrade io.undertow:undertow-core from 2.0.9.Final to 2.2.27.Final#45
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-e15e2edf34f5d8db580ae10ad7ed2e2e

Conversation

@weinrich15
Copy link
Collaborator

@weinrich15 weinrich15 commented Aug 10, 2025

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Memory Allocation with Excessive Size Value
SNYK-JAVA-IOUNDERTOW-11520814		   768   io.undertow:undertow-core:
2.0.9.Final -> 2.2.27.Final
Proof of Concept

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@snyk-bot
fix: pom.xml to reduce vulnerabilities
8619299 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-11520814
@weinrich15
Copy link
Collaborator Author

weinrich15 commented Aug 10, 2025

Logo
Checkmarx One – Scan Summary & Detailsc205a418-334d-4d59-a673-7ed47cf4c568

New Issues (20)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL S3 Bucket Allows Delete Action From All Principals /s3_with_all_permissions.tf: 5
detailsS3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized...
ID: j6z7Nppuf3vonyn6ZDSKClAqRBE%3D
HIGH CVE-2023-1973 Maven-io.undertow:undertow-core-2.2.27.Final
detailsRecommended version: 2.2.36.Final
Description: A flaw was found in Undertow package. Using the "FormAuthenticationMechanism", a malicious user could trigger a Denial of Service by sending crafte...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: CvozJguPqXW%2FY4Y9XsLrGral%2FBBbNc0y76JP36cL6pQ%3D
Vulnerable Package
HIGH CVE-2023-22102 Maven-mysql:mysql-connector-java-5.1.26
detailsDescription: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). The affected versions are through 8.1.0. The difficult-to-e...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: urVZotaF4d1fAP8Csa78CKVyO6AOg7XT0JCrLOzFFOI%3D
Vulnerable Package
HIGH CVE-2023-4639 Maven-io.undertow:undertow-core-2.2.27.Final
detailsRecommended version: 2.2.36.Final
Description: A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allo...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: 0BQiC3DVi2ERcwUoc0Khc%2BztSsgzJR3xOU2Yg6yDAq0%3D
Vulnerable Package
HIGH CVE-2024-1635 Maven-io.undertow:undertow-core-2.2.27.Final
detailsRecommended version: 2.2.36.Final
Description: A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious use...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 8fRMraGNNWwdGx8RyMEJ1OAE6mqoeVOVjzoElbX5dcE%3D
Vulnerable Package
HIGH CVE-2024-38286 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.107
Description: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat versions 9.0.13 through 9.0.8...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 62X2%2F3lBVYVDsrmYjwbQwB8XEIOggoa3oPvwczoWArg%3D
Vulnerable Package
HIGH CVE-2024-7885 Maven-io.undertow:undertow-core-2.2.27.Final
detailsRecommended version: 2.2.36.Final
Description: A vulnerability was found in Undertow where the "ProxyProtocolReadListener" reuses the same "StringBuilder" instance across multiple requests. This...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: bQfZh4u4O1DFVi24ZQtf1Xke9AGDKeJV3LvtNI%2FjDWw%3D
Vulnerable Package
HIGH CVE-2025-52434 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.107
Description: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Nativ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: QqvOjBTVBH%2FmTeQMGkLYDVHIU8jjcf7XyB275t2NTFA%3D
Vulnerable Package
HIGH CVE-2025-53506 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.107
Description: Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces th...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: KF0eDNrZkWFNGSfNaMIkjtupM7CLBLzCWr4gv5swMt8%3D
Vulnerable Package
MEDIUM CVE-2024-12798 Maven-ch.qos.logback:logback-core-1.2.3
detailsRecommended version: 1.3.15
Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code...
Attack Vector: LOCAL
Attack Complexity: LOW

ID: EtiGwpRqhz%2BOM14vFKAlX%2FJT%2FFtpiMBqb%2BO0ddxEGiM%3D
Vulnerable Package
MEDIUM CVE-2024-12798 Maven-ch.qos.logback:logback-classic-1.2.3
detailsRecommended version: 1.3.15
Description: Arbitrary Code Execution vulnerability in "JaninoEventEvaluator" by QOS.CH logback in Java applications, allows attackers to execute arbitrary code...
Attack Vector: LOCAL
Attack Complexity: LOW

ID: IvmiS6FKUD4gnHMqV1jaxdsLjiG5MPBZhW9mJha8dR0%3D
Vulnerable Package
MEDIUM CVE-2024-38808 Maven-org.springframework:spring-expression-5.0.4.RELEASE
detailsRecommended version: 5.3.31-wso2v1
Description: In Spring Framework versions through 5.3.38, a user can provide a specially crafted Spring Expression Language (SpEL) expression that may cause a D...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 9AS2igwfRws6yJpNW0d8CBGCjPq9IjO0PlpNxDFDOZI%3D
Vulnerable Package
MEDIUM Use_of_Broken_or_Risky_Cryptographic_Algorithm /src/main/java/org/cysecurity/cspf/jvl/model/HashMe.java: 16
detailsIn hashMe, the application protects sensitive data using a cryptographic algorithm, getInstance, that is considered weak or even trivially broken, ...
ID: ec8wJf6qRwmkCZRXmWqlze7dIcc%3D
Attack Vector
LOW CVE-2024-12801 Maven-ch.qos.logback:logback-core-1.2.3
detailsRecommended version: 1.3.15
Description: Server-Side Request Forgery (SSRF) in "SaxEventRecorder" by QOS.CH logback on the Java platform, allows an attacker to forge requests by compromisi...
Attack Vector: LOCAL
Attack Complexity: LOW

ID: pYsg%2Fn9BusHRvlZG654wi%2BRAcD18rSxPA6bbA9%2FeMGQ%3D
Vulnerable Package
LOW CVE-2024-38820 Maven-org.springframework:spring-test-5.0.4.RELEASE
detailsRecommended version: 5.3.31-wso2v1
Description: The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 14QNV9HiFjCJdI2IODXEfXIuJXNKftyTjFesRUhS5Ts%3D
Vulnerable Package
LOW CVE-2024-38820 Maven-org.springframework:spring-beans-5.0.4.RELEASE
detailsRecommended version: 5.3.31-wso2v1
Description: The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: a3yaJvUSXOLjp8hL1uX3EKbSsObtrD06PBzSDNIl%2F4I%3D
Vulnerable Package
LOW CVE-2024-38820 Maven-org.springframework:spring-context-5.0.4.RELEASE
detailsRecommended version: 6.1.20
Description: The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: gn5BIOQEm6UIShnBEpwSuxp5Lolp2gSYNnebbPEuI9c%3D
Vulnerable Package
LOW CVE-2024-38820 Maven-org.springframework:spring-core-5.0.4.RELEASE
detailsRecommended version: 5.3.31-wso2v1
Description: The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: w88Ol%2B68Ux4eoqdZdNxizivQk2sDYVbl6JbSG7sPJkQ%3D
Vulnerable Package
LOW CVE-2024-38820 Maven-org.springframework:spring-expression-5.0.4.RELEASE
detailsRecommended version: 5.3.31-wso2v1
Description: The fix for CVE-2022-22968 made "disallowedFields" patterns in "DataBinder" case-insensitive. However, using "String.toLowerCase()" introduces some...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: YGfDiiLHr0UDObcJHhc7ptzKFH5h5VmLdJpAQAQYBAY%3D
Vulnerable Package
LOW CVE-2025-22233 Maven-org.springframework:spring-context-5.0.4.RELEASE
detailsRecommended version: 6.1.20
Description: CVE-2024-38820 ensured locale-independent, lowercase conversion for both the configured "disallowedFields" patterns and for request parameter names...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: sm4CkSpvsQ2w26%2FlgprkUAFjjpraGyVBMWSgjW5OU48%3D
Vulnerable Package
Fixed Issues (139)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
HIGH CVE-2016-10707 Npm-jquery-1.6.4
HIGH CVE-2018-1272 Maven-org.springframework:spring-core-5.0.4.RELEASE
HIGH CVE-2019-10212 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2019-3888 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-10705 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-1745 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-1757 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-27782 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2021-3690 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2021-3859 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2022-1319 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2022-2053 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2022-4492 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2023-1108 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH Client_DOM_Stored_XSS /src/main/webapp/vulnerability/Injection/xxe.jsp: 12
HIGH Client_DOM_Stored_XSS /src/main/webapp/vulnerability/Injection/xxe.jsp: 15
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58

More results are available on the CxOne platform

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weinrich15 @snyk-bot