Skip to content

[GHSA-j382-5jj3-vw4j] Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests#7105

Open
aogburn wants to merge 1 commit intoaogburn/advisory-improvement-7105from
aogburn-GHSA-j382-5jj3-vw4j
Open

[GHSA-j382-5jj3-vw4j] Undertow HTTP server core doesn't properly validate the Host header in incoming HTTP requests#7105
aogburn wants to merge 1 commit intoaogburn/advisory-improvement-7105from
aogburn-GHSA-j382-5jj3-vw4j

Conversation

@aogburn
Copy link

@aogburn aogburn commented Mar 4, 2026

Updates

  • Affected products

Comments
This is also addressed in Undertow 2.3.20.SP2 so checking/expecting 2.3.21.Final only will result in false positives against the fixed undertow 2.3.20.SP4-redhat-00001 in EAP 8.1 update 3 and later.

@github-actions github-actions bot changed the base branch from main to aogburn/advisory-improvement-7105 March 4, 2026 17:18
@JonathanLEvans
Copy link

JonathanLEvans commented Mar 4, 2026

Hi @aogburn,

Thank you for your interest in improving this advisory. I am unable to find 2.3.20.SP2 in Maven. Could you provide a link to where you found it?

@aogburn
Copy link
Author

aogburn commented Mar 4, 2026

The Undertow SP releases would generally be JBoss EAP specific patch tags and so aren't issued on the default central maven repo. They are issued on the Red Hat maven repo and this would be the actual jar version provided in EAP 8.1 errata like https://access.redhat.com/errata/RHSA-2026:0384 noted in this advisory. 2.3.20.SP2 was never formally released publicly so if we want to keep the advisory to a public release, then we can reference 2.3.20.SP4-redhat-00001 instead of 2.3.20.SP2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aogburn @JonathanLEvans