CVE-2021-3690

2022-08-2316:15:09

CWE-400

CWE-401

[email protected]

web.nvd.nist.gov

151

undertow

cve-2021-3690

websocket

pong

denial of service

memory exhaustion

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.4%

JSON

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

Affected configurations

Vulners

NVD

Node

redhatundertowRange≤2.2.10

redhatundertowRange≤2.0.40

VendorProductVersionCPE
redhatundertow*cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
redhatundertow*cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	undertow	*	cpe:2.3:a:redhat:undertow::::::::
redhat	undertow	*	cpe:2.3:a:redhat:undertow::::::::

CNA Affected

[
  {
    "product": "undertow",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in 2.2.10.Final, 2.0.40.Final"
      }
    ]
  }
]