CVE-2021-3859
undertow: client side invocation timeout raised when calling over HTTP2
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
Se ha encontrado un fallo en Undertow que dispara el tiempo de espera de la invocación del lado del cliente con determinadas llamadas realizadas a través de HTTP2. Este fallo permite a un atacante realizar ataques de denegación de servicio.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-10-05 CVE Reserved
- 2022-02-03 CVE Published
- 2024-04-16 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-214: Invocation of Process Using Visible Sensitive Information
- CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/undertow-io/undertow/pull/1296 | Third Party Advisory | |
| https://security.netapp.com/advisory/ntap-20221201-0004 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2 | 2022-12-13 | |
| https://issues.redhat.com/browse/UNDERTOW-1979 | 2022-12-13 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-3859 | 2022-07-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2010378 | 2022-07-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.4.10 Search vendor "Redhat" for product "Single Sign-on" and version "7.4.10" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.5.1 Search vendor "Redhat" for product "Single Sign-on" and version "7.5.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Undertow Search vendor "Redhat" for product "Undertow" | < 2.2.15 Search vendor "Redhat" for product "Undertow" and version " < 2.2.15" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Cloud Secure Agent Search vendor "Netapp" for product "Cloud Secure Agent" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation" | - | - |
Affected
| ||||||