CVE-2023-3223 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2023-3223?

CVE-2023-3223 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-3223?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Openshift Container Platform, Redhat Openshift Container Platform For Ibm Linuxone, Redhat Openshift Container Platform For Power, Redhat Enterprise Linux.

Vulnerability Description

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Undertow	< 2.2.24
Redhat	Openshift Container Platform	4.11
Redhat	Openshift Container Platform For Ibm Linuxone	4.9
Redhat	Openshift Container Platform For Power	4.9
Redhat	Enterprise Linux	8.0
Redhat	Jboss Enterprise Application Platform Text-Only Advisories	-
Redhat	Single Sign-On	-
Redhat	Jboss Enterprise Application Platform	7.4

Related Weaknesses (CWE)

CWE-789

References

https://access.redhat.com/errata/RHSA-2023:4505Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4506Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4507Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4509Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4918Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4919Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4920Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4921Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4924Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7247
https://access.redhat.com/security/cve/CVE-2023-3223Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2209689Issue TrackingVendor Advisory
https://security.netapp.com/advisory/ntap-20231027-0004/
https://access.redhat.com/errata/RHSA-2023:4505Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:4506Vendor Advisory

FAQ

What is CVE-2023-3223?

CVE-2023-3223 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service...

How severe is CVE-2023-3223?

CVE-2023-3223 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-3223?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Undertow, Redhat Openshift Container Platform, Redhat Openshift Container Platform For Ibm Linuxone, Redhat Openshift Container Platform For Power, Redhat Enterprise Linux.