CVE-2023-3223 — Undertow vulnerable to denial of service

Description

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

How to fix CVE-2023-3223

To remediate CVE-2023-3223, upgrade the affected package to a fixed version below.

—upgrade to 2.3.18-1 or later
—upgrade to 2.2.24.Final or later

Is CVE-2023-3223 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.18-1
from 0, < 2.2.24.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (16)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-3223
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-3223
PATCHgithub.com/undertow-io/undertow
WEBaccess.redhat.com/errata/RHSA-2023:4505
WEB