[GHSA-6h4f-pj3g-q8fq] Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

[aogburn]

Updates

• Affected products

Comments
This is also addressed in 2.3.20.SP1 per https://issues.redhat.com/browse/UNDERTOW-2377 so checking/expecting 2.3.21.Final only will result in false positives against the fixed undertow 2.3.20.SP4-redhat-00001 in EAP 8.1 update 3 and later.

[JonathanLEvans]

Hi @aogburn,

Thank you for your interest in improving this advisory. I am unable to find 2.3.20.SP1 in Maven. Could you provide a link to where you found it?

[aogburn]

The Undertow SP releases would generally be JBoss EAP specific patch tags and so aren't issued on the default central maven repo. They are issued on the Red Hat maven repo and this would be the actual jar version provided in EAP 8.1 errata like https://access.redhat.com/errata/RHSA-2026:0384 noted in this advisory. 2.3.20.SP1 was never formally released publicly so if we want to keep the advisory to a public release, then we can reference 2.3.20.SP4-redhat-00001 instead of 2.3.20.SP1.

[JonathanLEvans]

We do not support the Red Hat Maven repository. You can find a list of supported ecosystems here.