CVE-2020-14384

HIGH

JBossWeb < 7.5.31.Final-redhat-3 - Denial of Service via Invalid WebSocket Payload Length

Title source: llm
STIX 2.1

Description

A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability.

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1875176

Scores

CVSS v3 7.5
EPSS 0.0032
EPSS Percentile 55.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (2)
redhat/jboss_enterprise_application_platform 6.0.0
redhat/jbossweb < 7.5.31.final-redhat-3
Published Sep 09, 2020
Tracked Since Feb 18, 2026