Lucene search

K
githubGitHub Advisory DatabaseGHSA-65H2-WF7M-Q2V8
HistorySep 27, 2023 - 3:30 p.m.

Undertow vulnerable to denial of service

2023-09-2715:30:35
CWE-400
CWE-789
GitHub Advisory Database
github.com
16
undertow
denial of service
servlets
outofmemoryerror
filesizethreshold
remote attack

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.021

Percentile

89.2%

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it’s possible to bypass the limit by setting the file name in the request to null.

Affected configurations

Vulners
Node
io.undertow\undertowMatchparent

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.021

Percentile

89.2%