CVE-2021-3690

HIGH

Redhat Fuse < 2.0.40 - Memory Leak

Title source: rule

Description

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

References (4)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2021-3690

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1991299

[Patch, Third Party Advisory] https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877

[Exploit, Issue Tracking, Mitigation, Vendor Advisory] https://issues.redhat.com/browse/UNDERTOW-1935

Scores

CVSS v3 7.5

EPSS 0.0028

EPSS Percentile 50.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-401 CWE-400

Status published

Affected Products (10)

redhat/fuse

redhat/integration_camel_k

redhat/integration_camel_quarkus

redhat/jboss_enterprise_application_platform

redhat/openshift_application_runtimes

redhat/single_sign-on

redhat/undertow < 2.0.40

redhat/jboss_enterprise_application_platform

io.undertow/undertow-core < 2.0.40Maven

Timeline

Published Aug 23, 2022

Tracked Since Feb 18, 2026