// For flags

CVE-2024-5971

Undertow: response write hangs in case of java 17 tlsv1.3 newsessionticket

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r
termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

Se encontró una vulnerabilidad en Undertow, donde la respuesta fragmentada se suspende después de que se lavó el cuerpo. Los encabezados y el cuerpo de la respuesta se enviaron, pero el cliente continuaría esperando ya que Undertow no envía la terminación 0\r
esperada de la respuesta fragmentada. Esto da como resultado un consumo descontrolado de recursos, dejando al lado del servidor expuesto a un ataque de denegación de servicio. Esto sucede solo con escenarios Java 17 TLSv1.3.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-06-13 CVE Reserved
  • 2024-07-08 CVE Published
  • 2024-08-13 EPSS Updated
  • 2024-10-31 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-674: Uncontrolled Recursion
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
---- -