Approved changes feed: RSS · Atom
cpe:2.3:a:linecorp:armeria:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Linecorp (d44df211-17ec-5a56-9e39-7a6dbeb881d3) |
|---|---|
| Product | Armeria (7a853e48-5124-5ea6-8bac-eb04f212773d) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/line/armeria |
purl2cpe | 2026-06-01 10:12:14.086285 |
pkg:maven/com.linecorp.armeria/armeria |
purl2cpe | 2026-06-01 10:12:14.086288 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-1735 |
vulnerable | 2026-06-03 14:54:34.440717 |
Details available
CRITICAL (9.1)
A vulnerability has been identified in armeria-saml versions less than 1.27.2, allowing the use of malicious SAML messages to bypass authentication. All users who rely on armeria-saml older than version 1.27.2 must upgrade to 1.27.2 or later.
Published: 2024-02-26T07:25:42.406Z
Updated: 2025-08-26T20:01:39.603Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-44487 |
vulnerable | 2026-06-03 14:53:06.908065 |
Details available
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Published: 2023-10-10T00:00:00.000Z
Updated: 2026-05-12T10:52:23.784Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38493 |
vulnerable | 2026-06-03 14:52:31.293099 |
Paths contain matrix variables bypass decorators
HIGH (7.5)
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via `TomcatService` or `JettyService` with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.
Published: 2023-07-25T20:51:11.170Z
Updated: 2024-10-03T18:47:47.744Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-43795 |
vulnerable | 2026-06-03 14:45:35.011820 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in com.linecorp.armeria:armeria
HIGH (7.5)
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.
Published: 2021-12-02T18:00:11.000Z
Updated: 2024-08-04T04:03:08.810Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-16771 |
vulnerable | 2026-06-03 14:39:55.344125 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria
MEDIUM (4.8)
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.
Published: 2019-12-06T19:00:20.000Z
Updated: 2024-08-05T01:24:48.270Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.