CVE-2023-3223

HIGH

Undertow < 2.2.24 - Denial of Service via Large Multipart Content Bypass

Title source: llm
STIX 2.1

Description

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4505
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4506
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4507
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4509
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4918
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4919
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4920
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4921
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:4924
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:7247
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-3223
Issue Tracking, Vendor Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2209689

Scores

CVSS v3 7.5
EPSS 0.0203
EPSS Percentile 78.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-789
Status published
Products (12)
io.undertow/undertow-parent 0 - 2.2.24.FinalMaven
redhat/jboss_enterprise_application_platform 7.4
redhat/jboss_enterprise_application_platform_text-only_advisories
redhat/openshift_container_platform 4.11
redhat/openshift_container_platform 4.12
redhat/openshift_container_platform_for_ibm_linuxone 4.9
redhat/openshift_container_platform_for_ibm_linuxone 4.10
redhat/openshift_container_platform_for_power 4.9
redhat/openshift_container_platform_for_power 4.10
redhat/single_sign-on
... and 2 more
Published Sep 27, 2023
Tracked Since Feb 18, 2026