CVE-2023-5379

CWE-770 — Allocation without Limits6 documents6 sources

Severity

7.5HIGH

EPSS

0.1%

top 66.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform Redhat Single Sign-on

Timeline

PublishedDec 12

Latest updateDec 13

Description

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue co…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/jboss_enterprise_application_platform7.0.0

▶Debianundertow< 2.3.18-1

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

GHSA

GHSA-q462-4hrv-w27r: A flaw was found in Undertow↗2023-12-13

▶

CVEList

Undertow: ajp request closes connection exceeding maxrequestsize↗2023-12-12

▶

OSV

CVE-2023-5379: A flaw was found in Undertow↗2023-12-12

▶

📋Vendor Advisories

Red Hat

undertow: AJP Request closes connection exceeding maxRequestSize↗2023-12-12

▶

Debian

CVE-2023-5379: undertow - A flaw was found in Undertow. When an AJP request is sent that exceeds the max-h...↗2023

▶