Bug#1132323: undertow: CVE-2024-4027
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 30 16:00:20 BST 2026
Source: undertow
Version: 2.3.20-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for undertow.
CVE-2024-4027[0]:
| A flaw was found in Undertow. Servlets using a method that calls
| HttpServletRequestImpl.getParameterNames() can cause an
| OutOfMemoryError when the client sends a request with large
| parameter names. This issue can be exploited by an unauthorized user
| to cause a remote denial-of-service (DoS) attack.
There is one reference attached to the CVE, [1], but it is restricted
so can you try to get more details on the issue?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-4027
https://www.cve.org/CVERecord?id=CVE-2024-4027
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2276410
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list