Undertow: outofmemoryerror due to @multipartconfig handling
CVE-2023-3223
Key Information:
- Vendor
Red Hat
- Status
- Vendor
- CVE Published:
- 27 September 2023
What is CVE-2023-3223?
A vulnerability has been identified in Undertow, where servlets annotated with @MultipartConfig may lead to an OutOfMemoryError during processing of large multipart content submissions. This flaw can enable unauthorized users to launch remote Denial of Service attacks. Importantly, if file size thresholds are employed to restrict uploads, attackers can bypass these limits by manipulating the request to set the file name to null, thus exploiting this weakness.
Affected Version(s)
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:2.2.25-3.SP3_redhat_00001.1.el8eap
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 0:2.2.25-3.SP3_redhat_00001.1.el9eap
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 0:2.2.25-3.SP3_redhat_00001.1.el7eap
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved