GHSA-m4mm-pg93-fv78
First published: Thu Sep 14 2023(Updated: )
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.undertow:undertow-core | <2.2.24.Final | 2.2.24.Final |
| maven/io.undertow:undertow-core | >=2.3.0<2.3.5.Final | 2.3.5.Final |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-1108
- https://access.redhat.com/errata/RHSA-2023:1184
- https://access.redhat.com/errata/RHSA-2023:1185
- https://access.redhat.com/errata/RHSA-2023:1512
- https://access.redhat.com/errata/RHSA-2023:1513
- https://access.redhat.com/errata/RHSA-2023:1514
- https://access.redhat.com/errata/RHSA-2023:1516
- https://access.redhat.com/errata/RHSA-2023:3883
- https://access.redhat.com/errata/RHSA-2023:3884
- https://access.redhat.com/errata/RHSA-2023:3885
- https://access.redhat.com/errata/RHSA-2023:3888
- https://access.redhat.com/errata/RHSA-2023:3892
- https://access.redhat.com/errata/RHSA-2023:3954
- https://access.redhat.com/errata/RHSA-2023:4612
- https://access.redhat.com/security/cve/CVE-2023-1108
- https://bugzilla.redhat.com/show_bug.cgi?id=2174246
- https://github.com/undertow-io/undertow/commit/1b763064a41a30583b5df9a118898513007a70be
- https://github.com/undertow-io/undertow/commit/ccc053b55f5de9872bc1a4999fd6aa85fc5e146d
- https://github.com/undertow-io/undertow/pull/1457
- https://github.com/undertow-io/undertow/commit/1302c8cf4476936802504efe0d36c58dcd954f78
- https://security.netapp.com/advisory/ntap-20231020-0002
- https://github.com/advisories/GHSA-m4mm-pg93-fv78 (Advisory)
- https://access.redhat.com/errata/RHSA-2023:2135
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is GHSA-m4mm-pg93-fv78.
What is the severity of GHSA-m4mm-pg93-fv78?
The severity of GHSA-m4mm-pg93-fv78 is high with a severity value of 7.5.
How does GHSA-m4mm-pg93-fv78 allow for a denial of service attack?
GHSA-m4mm-pg93-fv78 allows for a denial of service attack by causing an unexpected handshake status update in SslConduit, resulting in a loop that never terminates.
What software packages are affected by GHSA-m4mm-pg93-fv78?
The affected software packages are io.undertow:undertow-core version up to exclusive 2.2.24.Final and io.undertow:undertow-core version between inclusive exclusive 2.3.0 and 2.3.5.Final.
Where can I find more information about GHSA-m4mm-pg93-fv78?
More information about GHSA-m4mm-pg93-fv78 can be found at the following references: CVE-2023-1108, RHSA-2023:1184, and RHSA-2023:1185.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m4mm-pg93-fv78
- alias/CVE-2023-1108
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/tags
- collector/github-advisory
- package-manager/maven