Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02NWgyLXdmN20tcTJ2OM4AA2EK

Undertow vulnerable to denial of service

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

Permalink: https://github.com/advisories/GHSA-65h2-wf7m-q2v8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NWgyLXdmN20tcTJ2OM4AA2EK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 7 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.01583
EPSS Percentile: 0.87696

Identifiers: GHSA-65h2-wf7m-q2v8, CVE-2023-3223
References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-3223
• https://access.redhat.com/errata/RHSA-2023:4505
• https://access.redhat.com/errata/RHSA-2023:4506
• https://access.redhat.com/errata/RHSA-2023:4507
• https://access.redhat.com/errata/RHSA-2023:4509
• https://access.redhat.com/errata/RHSA-2023:4918
• https://access.redhat.com/errata/RHSA-2023:4919
• https://access.redhat.com/errata/RHSA-2023:4920
• https://access.redhat.com/errata/RHSA-2023:4921
• https://access.redhat.com/errata/RHSA-2023:4924
• https://access.redhat.com/security/cve/CVE-2023-3223
• https://bugzilla.redhat.com/show_bug.cgi?id=2209689
• https://access.redhat.com/errata/RHSA-2023:7247
• https://security.netapp.com/advisory/ntap-20231027-0004
• https://github.com/advisories/GHSA-65h2-wf7m-q2v8

Blast Radius: 3.6

Affected Packages