Vulnerability Details : CVE-2023-3223
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
Vulnerability category: Denial of service
Products affected by CVE-2023-3223
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3223
1.58%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3223
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Red Hat, Inc. |
CWE ids for CVE-2023-3223
-
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2023-3223
-
https://access.redhat.com/errata/RHSA-2023:4507
RHSA-2023:4507 - Security Advisory - Portail Client Red HatVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:4919
RHSA-2023:4919 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:4505
RHSA-2023:4505 - Security Advisory - Portail Client Red HatVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:4918
RHSA-2023:4918 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:4924
RHSA-2023:4924 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:7247
RHSA-2023:7247 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2023:4921
RHSA-2023:4921 - Security Advisory - Red Hat 客户门户网站Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:4509
RHSA-2023:4509 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2209689
2209689 – (CVE-2023-3223) CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handlingIssue Tracking;Vendor Advisory
-
https://access.redhat.com/security/cve/CVE-2023-3223
CVE-2023-3223- Red Hat Customer PortalVendor Advisory
-
https://security.netapp.com/advisory/ntap-20231027-0004/
CVE-2023-3223 Undertow Vulnerability in NetApp Products | NetApp Product Security
-
https://access.redhat.com/errata/RHSA-2023:4920
RHSA-2023:4920 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:4506
RHSA-2023:4506 - Security Advisory - Red Hat Customer PortalVendor Advisory
Jump to