Lucene search

K
githubGitHub Advisory DatabaseGHSA-FJ7C-VG2V-CCRM
HistoryJul 15, 2022 - 9:07 p.m.

Undertow vulnerable to memory exhaustion due to buffer leak

2022-07-1521:07:20
CWE-400
CWE-401
GitHub Advisory Database
github.com
30
undertow
vulnerability
websocket
buffer leak
memory exhaustion
denial of service
software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

47.2%

Buffer leak on incoming WebSocket PONG message(s) in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service.

Affected configurations

Vulners
Node
io.undertowundertow-coreRange2.2.02.2.10
OR
io.undertowundertow-coreRange<2.0.40
VendorProductVersionCPE
io.undertowundertow-core*cpe:2.3:a:io.undertow:undertow-core:*:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

47.2%