CVE-2021-3859

EPSS 0.9%
Published 26.08.2022 16:15:09
Last modified 21.11.2024 06:22:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

Affected products Warnungen 0 Metrics 2 CWE 2 References 9

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Jboss Enterprise Application Platform Version7.3

Redhat ≫ Jboss Enterprise Application Platform Version7.4

Redhat ≫ Single Sign-on Version7.4.10

Redhat ≫ Single Sign-on Version7.5.1

Redhat ≫ Undertow Version < 2.2.15

Netapp ≫ Cloud Secure Agent Version-

Netapp ≫ Oncommand Insight Version-

Netapp ≫ Oncommand Workflow Automation Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.9%	0.748

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-214 Invocation of Process Using Visible Sensitive Information

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://access.redhat.com/security/cve/CVE-2021-3859

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2010378

Vendor Advisory

Issue Tracking

https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2

Patch

Third Party Advisory

https://github.com/undertow-io/undertow/pull/1296

Third Party Advisory