CVE-2022-1259

undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

Se ha encontrado un fallo en Undertow. Un posible problema de seguridad en la administración del control de flujo por parte del navegador sobre HTTP/2 puede causar una sobrecarga o una denegación de servicio en el servidor. Este fallo se presenta debido a una corrección incompleta de CVE-2021-3629

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server.

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include a denial of service vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-04-06 CVE Reserved
2022-07-27 CVE Published
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20221014-0006	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-1259	2022-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=2072339	2022-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Build Of Quarkus Search vendor "Redhat" for product "Build Of Quarkus"				-		-		Affected
Redhat Search vendor "Redhat"		Integration Camel K Search vendor "Redhat" for product "Integration Camel K"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Application Runtimes Search vendor "Redhat" for product "Openshift Application Runtimes"				-		-		Affected
Redhat Search vendor "Redhat"		Single Sign-on Search vendor "Redhat" for product "Single Sign-on"				7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Undertow Search vendor "Redhat" for product "Undertow"				<= 2.2.17 Search vendor "Redhat" for product "Undertow" and version " <= 2.2.17"		-		Affected
Redhat Search vendor "Redhat"		Undertow Search vendor "Redhat" for product "Undertow"				2.2.18 Search vendor "Redhat" for product "Undertow" and version "2.2.18"		-		Affected
Redhat Search vendor "Redhat"		Undertow Search vendor "Redhat" for product "Undertow"				2.2.19 Search vendor "Redhat" for product "Undertow" and version "2.2.19"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		linux		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected
Netapp Search vendor "Netapp"		Cloud Secure Agent Search vendor "Netapp" for product "Cloud Secure Agent"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation"				-		-		Affected