VYPR
High severityNVD Advisory· Published Sep 27, 2023· Updated Aug 2, 2024

Undertow: outofmemoryerror due to @multipartconfig handling

CVE-2023-3223

Description

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.undertow:undertow-parentMaven
< 2.2.24.Final2.2.24.Final

Affected products

22
  • Red Hat/Red Hat Integration Camel Kv5
    cpe:/a:redhat:integration:1
  • Red Hat/Red Hat JBoss Data Grid 7v5
    cpe:/a:redhat:jboss_data_grid:7
  • Red Hat/Red Hat Data Grid 8v5
    cpe:/a:redhat:jboss_data_grid:8
  • cpe:/a:redhat:jboss_enterprise_application_platform:7.4+ 3 more
    • cpe:/a:redhat:jboss_enterprise_application_platform:7.4
    • cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7range: 0:2.2.25-3.SP3_redhat_00001.1.el7eap
    • cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8range: 0:2.2.25-3.SP3_redhat_00001.1.el8eap
    • cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9range: 0:2.2.25-3.SP3_redhat_00001.1.el9eap
  • cpe:/a:redhat:jboss_enterprise_bpms_platform:7
  • Red Hat/Red Hat Decision Manager 7v5
    cpe:/a:redhat:jboss_enterprise_brms_platform:7
  • Red Hat/Red Hat JBoss Fuse 6v5
    cpe:/a:redhat:jboss_fuse:6
  • Red Hat/Red Hat Fuse 7.12.1v5
    cpe:/a:redhat:jboss_fuse:7
  • Red Hat/Red Hat support for Spring Bootv5
    cpe:/a:redhat:openshift_application_runtimes:1.0
  • Red Hat/Red Hat OpenStack Platform 13 (Queens) Operational Toolsv5
    cpe:/a:redhat:openstack-optools:13
  • Red Hat/Red Hat build of Quarkusv5
    cpe:/a:redhat:quarkus:2
  • Red Hat/Single Sign Oncpe-rescue4 versions
    cpe:/a:redhat:red_hat_single_sign_on:7.6.5+ 3 more
    • cpe:/a:redhat:red_hat_single_sign_on:7.6.5
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el7range: 0:18.0.9-1.redhat_00001.1.el7sso
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el8range: 0:18.0.9-1.redhat_00001.1.el8sso
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el9range: 0:18.0.9-1.redhat_00001.1.el9sso
  • Red Hat/RHEL-8 based Middleware Containersv5
    cpe:/a:redhat:rhosemc:1.0::el8
    Range: 7.6-27
  • Red Hat/Red Hat Integration Service Registryv5
    cpe:/a:redhat:service_registry:2
  • ghsa-coords
    Range: < 2.2.24.Final

Patches

Vulnerability mechanics

References

16

News mentions

0

No linked articles in our index yet.