Lucene search

[email protected]NVD:CVE-2023-3223

HistorySep 27, 2023 - 3:18 p.m.

CVE-2023-3223

2023-09-2715:18:56

CWE-789

[email protected]

web.nvd.nist.gov

undertow

servlet

multipartconfig

outofmemoryerror

dos attack

filesizethreshold

bypass

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.025

Percentile

90.4%

JSON

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it’s possible to bypass the limit by setting the file name in the request to null.

Affected configurations

Nvd

Node

redhatundertowRange<2.2.24

Node

redhatopenshift_container_platformMatch4.11

redhatopenshift_container_platformMatch4.12

redhatopenshift_container_platform_for_ibm_linuxoneMatch4.9

redhatopenshift_container_platform_for_ibm_linuxoneMatch4.10

redhatopenshift_container_platform_for_powerMatch4.9

redhatopenshift_container_platform_for_powerMatch4.10

AND

redhatenterprise_linuxMatch8.0

Node

redhatjboss_enterprise_application_platform_text-only_advisoriesMatch-

redhatsingle_sign-onMatch-text-only

Node

redhatenterprise_linuxMatch7.0

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

AND

redhatsingle_sign-onMatch7.6

Node

redhatenterprise_linuxMatch7.0

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

AND

redhatjboss_enterprise_application_platformMatch7.4

VendorProductVersionCPE
redhatundertow*cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
redhatopenshift_container_platform4.11cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*
redhatopenshift_container_platform4.12cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_ibm_linuxone4.9cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_ibm_linuxone4.10cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_power4.9cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*
redhatopenshift_container_platform_for_power4.10cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform_text-only_advisories-cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:*:*:*:*:*:*:*
redhatsingle_sign-on-cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*

Vendor	Product	Version	CPE
redhat	undertow	*	cpe:2.3:a:redhat:undertow::::::::
redhat	openshift_container_platform	4.11	cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
redhat	openshift_container_platform	4.12	cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*
redhat	openshift_container_platform_for_ibm_linuxone	4.9	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:::::::*
redhat	openshift_container_platform_for_ibm_linuxone	4.10	cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:::::::*
redhat	openshift_container_platform_for_power	4.9	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:::::::*
redhat	openshift_container_platform_for_power	4.10	cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:::::::*
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
redhat	jboss_enterprise_application_platform_text-only_advisories	-	cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:::::::*
redhat	single_sign-on	-	cpe:2.3:a:redhat:single_sign-on:-::::text-only:::