CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
21.2%
A flaw was found in Undertow. When an AJP request is sent that exceeds the
max-header-size attribute in ajp-listener, JBoss EAP is marked in an error
state by mod_cluster in httpd, causing JBoss EAP to close the TCP
connection without returning an AJP response. This happens because
mod_proxy_cluster marks the JBoss EAP instance as an error worker when the
TCP connection is closed from the backend after sending the AJP request
without receiving an AJP response, and stops forwarding. This issue could
allow a malicious user could to repeatedly send requests that exceed the
max-header-size, causing a Denial of Service (DoS).
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
21.2%