CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
13.7%
Undertow is vulnerable to Denial Of Service (DoS). The vulnerability is due to Undertow’s failure to send the expected termination sequence (0\r\n) for chunked responses after flushing the response body. The vulnerability allows an attacker to exploit the incomplete handling of chunked responses in Undertow, potentially causing uncontrolled resource consumption. Note this vulnerability is only exploitable when running on Java 17 with TLSv1.3.
access.redhat.com/errata/RHSA-2024:4392
access.redhat.com/errata/RHSA-2024:4884
access.redhat.com/errata/RHSA-2024:5143
access.redhat.com/errata/RHSA-2024:5144
access.redhat.com/errata/RHSA-2024:5145
access.redhat.com/errata/RHSA-2024:5147
access.redhat.com/errata/RHSA-2024:6508
access.redhat.com/security/cve/CVE-2024-5971
bugzilla.redhat.com/show_bug.cgi?id=2292211
github.com/advisories/GHSA-xpp6-8r3j-ww43