Denial of service in Undertow



Published: 2022-10-05
Risk Medium
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2022-1259
CWE-ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Undertow
Server applications / Web servers

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource exhaustion

EUVDB-ID: #VU67947

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1259

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Note, the vulnerability exists due to an incomplete fix for #VU58177 (CVE-2021-3629).

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Undertow: 2.0.0 - 2.3.0 Alpha2


CPE2.3 External links

http://bugzilla.redhat.com/show_bug.cgi?id=2072339

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###