CVE-2021-3859

CWE-214 CWE-668 — Exposure to Wrong Sphere CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

7.5HIGH

EPSS

0.3%

top 45.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Undertow Redhat Jboss Enterprise Application Platform Redhat Single Sign-on

Timeline

PublishedAug 26

Description

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDredhat/undertow< 2.2.15

▶Mavenio.undertow:undertow-core< 2.2.15

▶Debianundertow< 2.2.16-1

▶CVEListV5undertowFixed in 2.2.15.Final

▶NVDredhat/single_sign-on7.4.10, 7.5.1+1

Patches

Patch: github.com ↗Patch: issues.redhat.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2021-3859: A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2↗2022-08-26

▶

CVEList

CVE-2021-3859: A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2↗2022-08-26

▶

GHSA

Undertow vulnerable to Denial of Service (DoS) attacks↗2022-07-15

▶

OSV

Undertow vulnerable to Denial of Service (DoS) attacks↗2022-07-15

▶

📋Vendor Advisories

Red Hat

undertow: client side invocation timeout raised when calling over HTTP2↗2022-02-01

▶

Debian

CVE-2021-3859: undertow - A flaw was found in Undertow that tripped the client-side invocation timeout wit...↗2021

▶