GoogleOSV:GHSA-FJ7C-VG2V-CCRMUndertow vulnerable to memory exhaustion due to buffer leak
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.7%
Buffer leak on incoming WebSocket PONG message(s) in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service.
References
access.redhat.com/security/cve/CVE-2021-3690
access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
bugzilla.redhat.com/show_bug.cgi?id=1991299
github.com/undertow-io/undertow
github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
issues.redhat.com/browse/UNDERTOW-1935
nvd.nist.gov/vuln/detail/CVE-2021-3690
www.mend.io/vulnerability-database/CVE-2021-3690
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.7%