CVE-2021-3859

HIGH

Undertow - DoS

Title source: llm

Description

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

References (6)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2021-3859

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2010378

[Patch, Third Party Advisory] https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/undertow-io/undertow/pull/1296

[Issue Tracking, Patch, Vendor Advisory] https://issues.redhat.com/browse/UNDERTOW-1979

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20221201-0004/

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 53.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-214 CWE-668

Status published

Affected Products (9)

redhat/jboss_enterprise_application_platform

redhat/single_sign-on

redhat/undertow < 2.2.15

netapp/cloud_secure_agent

netapp/oncommand_insight

netapp/oncommand_workflow_automation

io.undertow/undertow-core < 2.2.15Maven

Timeline

Published Aug 26, 2022

Tracked Since Feb 18, 2026