Description

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

Remediation

References

https://access.redhat.com/errata/RHSA-2023:4505

https://access.redhat.com/errata/RHSA-2023:4506

https://access.redhat.com/errata/RHSA-2023:4507

https://access.redhat.com/errata/RHSA-2023:4509

https://access.redhat.com/errata/RHSA-2023:4918

https://access.redhat.com/errata/RHSA-2023:4919

https://access.redhat.com/errata/RHSA-2023:4920

https://access.redhat.com/errata/RHSA-2023:4921

https://access.redhat.com/errata/RHSA-2023:4924

https://access.redhat.com/errata/RHSA-2023:7247

https://access.redhat.com/security/cve/CVE-2023-3223

https://bugzilla.redhat.com/show_bug.cgi?id=2209689

https://security.netapp.com/advisory/ntap-20231027-0004/

Related Vulnerabilities

CVE-2023-36470 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-default

CVE-2018-8024 Vulnerability in maven package org.apache.spark:spark-core

CVE-2020-25724 Vulnerability in maven package io.quarkus:quarkus-resteasy-reactive-parent-aggregator

CVE-2022-36099 Vulnerability in maven package org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

CVE-2020-2167 Vulnerability in maven package com.openshift.jenkins:openshift-pipeline

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Vendor Advisory Issue Tracking NVD-CWE-noinfo