CVE-2023-3223
Summary
| CVE | CVE-2023-3223 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-27 15:18:00 UTC |
| Updated | 2023-11-07 04:18:00 UTC |
| Description | A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 9.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.4 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform Text-only Advisories | - | All | All | All |
| Application | Redhat | Openshift Container Platform | 4.11 | All | All | All |
| Application | Redhat | Openshift Container Platform | 4.12 | All | All | All |
| Application | Redhat | Openshift Container Platform For Ibm Linuxone | 4.10 | All | All | All |
| Application | Redhat | Openshift Container Platform For Ibm Linuxone | 4.9 | All | All | All |
| Application | Redhat | Openshift Container Platform For Power | 4.10 | All | All | All |
| Application | Redhat | Openshift Container Platform For Power | 4.9 | All | All | All |
| Application | Redhat | Single Sign-on | - | All | All | All |
| Application | Redhat | Single Sign-on | 7.6 | All | All | All |
| Application | Redhat | Undertow | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 2209689 – (CVE-2023-3223) CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling | MISC | bugzilla.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| CVE-2023-3223 Undertow Vulnerability in NetApp Products | NetApp Product Security | MISC | security.netapp.com | |
| cve-details | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 241932 Red Hat Update for JBoss Enterprise Application Platform 7.4 on RHEL 9 (RHSA-2023:4507)
- 241943 Red Hat Update for JBoss Enterprise Application Platform 7.4 on RHEL 8 (RHSA-2023:4506)
- 241944 Red Hat Update for JBoss Enterprise Application Platform 7.4 on RHEL 7 (RHSA-2023:4505)
- 995428 Java (Maven) Security Update for io.undertow:undertow-parent (GHSA-65h2-wf7m-q2v8)