{"schema_version":"1.7.2","id":"OESA-2026-1431","modified":"2026-02-28T12:44:11Z","published":"2026-02-28T12:44:11Z","upstream":["CVE-2024-3884","CVE-2024-4027"],"summary":"undertow security update","details":"Java web server using non-blocking IO\r\n\r\nSecurity Fix(es):\n\nA flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.(CVE-2024-3884)\n\nA flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.(CVE-2024-4027)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"undertow","purl":"pkg:rpm/openEuler/undertow&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.0-10.oe2003sp4"}]}],"ecosystem_specific":{"noarch":["undertow-1.4.0-10.oe2003sp4.noarch.rpm","undertow-javadoc-1.4.0-10.oe2003sp4.noarch.rpm"],"src":["undertow-1.4.0-10.oe2003sp4.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1431"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3884"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4027"}],"database_specific":{"severity":"High"}}