CVE-2023-3223
Undertow: outofmemoryerror due to @multipartconfig handling
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
| CWE | CWE-789 |
| Vendor | red hat |
| Product | red hat fuse 7.12.1 |
| Published | Sep 27, 2023 |
| Last Updated | Aug 2, 2024 |
Stay Ahead of the Next One
Get instant alerts for red hat red hat fuse 7.12.1
Be the first to know when new high vulnerabilities affecting red hat red hat fuse 7.12.1 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Red Hat / Red Hat Fuse 7.12.1
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.1.0
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
All versions affected Red Hat / Red Hat Single Sign-On 7.6.5
All versions affected Red Hat / Red Hat Single Sign-On 7.6 for RHEL 7
All versions affected Red Hat / Red Hat Single Sign-On 7.6 for RHEL 8
All versions affected Red Hat / Red Hat Single Sign-On 7.6 for RHEL 9
All versions affected Red Hat / RHEL-8 based Middleware Containers
All versions affected Red Hat / Red Hat build of Quarkus
All versions affected Red Hat / Red Hat Data Grid 8
All versions affected Red Hat / Red Hat Decision Manager 7
All versions affected Red Hat / Red Hat Integration Camel K
All versions affected Red Hat / Red Hat Integration Service Registry
All versions affected Red Hat / Red Hat JBoss Data Grid 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
All versions affected Red Hat / Red Hat JBoss Fuse 6
All versions affected Red Hat / Red Hat OpenStack Platform 13 (Queens) Operational Tools
All versions affected Red Hat / Red Hat Process Automation 7
All versions affected Red Hat / Red Hat support for Spring Boot
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4505 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4506 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4507 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4509 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4918 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4919 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4920 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4921 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:4924 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7247 access.redhat.com: https://access.redhat.com/security/cve/CVE-2023-3223 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2209689 security.netapp.com: https://security.netapp.com/advisory/ntap-20231027-0004/
Credits
Red Hat would like to thank Keke Lian & Haoran Zhao (SecSys Lab) for reporting this issue.