A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Vendors Products
Redhat
  • Jboss Enterprise Application Platform

No data.

Package CPE Advisory Released Date
Red Hat JBoss Enterprise Application Platform 7
undertow cpe:/a:redhat:jboss_enterprise_application_platform:7.4 RHSA-2024:1677 2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 RHSA-2024:1675 2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el9eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 RHSA-2024:1676 2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el7eap cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 RHSA-2024:1674 2024-04-04T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8
undertow cpe:/a:redhat:jboss_enterprise_application_platform:8.0 RHSA-2024:2763 2024-05-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-undertow-0:2.3.11-1.SP1_redhat_00001.1.el8eap cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 RHSA-2024:2764 2024-05-08T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-undertow-0:2.3.11-1.SP1_redhat_00001.1.el9eap cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9 RHSA-2024:2764 2024-05-08T00:00:00Z
References
Link Providers
https://access.redhat.com/errata/RHSA-2024:1674 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1675 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1676 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:1677 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2763 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:2764 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2023-1973 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2185662 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-1973 cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-1973 cve-icon
History

Thu, 07 Nov 2024 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 Nov 2024 10:15:00 +0000

Type Values Removed Values Added
Title undertow: unrestricted request storage leads to memory exhaustion Undertow: unrestricted request storage leads to memory exhaustion
References
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-11-07T10:01:57.995Z

Updated: 2024-11-07T14:06:43.345Z

Reserved: 2023-04-10T23:29:16.249Z

Link: CVE-2023-1973

cve-icon Vulnrichment

Updated: 2024-11-07T14:06:39.564Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-07T10:15:05.400

Modified: 2024-11-08T19:01:03.880

Link: CVE-2023-1973

cve-icon Redhat

Severity : Important

Publid Date: 2024-04-04T00:00:00Z

Links: CVE-2023-1973 - Bugzilla