{"id":"OESA-2026-1431","summary":"undertow security update","details":"Java web server using non-blocking IO\r\n\r\nSecurity Fix(es):\n\nA flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.(CVE-2024-3884)\n\nA flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.(CVE-2024-4027)","modified":"2026-02-28T13:02:04.809236Z","published":"2026-02-28T12:44:11Z","upstream":["CVE-2024-3884","CVE-2024-4027"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1431"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3884"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4027"}],"affected":[{"package":{"name":"undertow","ecosystem":"openEuler:20.03-LTS-SP4","purl":"pkg:rpm/openEuler/undertow&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.0-10.oe2003sp4"}]}],"ecosystem_specific":{"src":["undertow-1.4.0-10.oe2003sp4.src.rpm"],"noarch":["undertow-1.4.0-10.oe2003sp4.noarch.rpm","undertow-javadoc-1.4.0-10.oe2003sp4.noarch.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2026-1431.json"}}],"schema_version":"1.7.3"}