Allocation of Resources Without Limits or Throttling Affecting io.undertow:undertow-core package, versions [,2.3.12.Final)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
EPSS
0.05% (21st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-IOUNDERTOW-6669948
- published 21 Apr 2024
- disclosed 12 Dec 2023
- credit Unknown
Introduced: 12 Dec 2023
CVE-2023-5379 Open this link in a new tabHow to fix?
Upgrade io.undertow:undertow-core to version 2.3.12.Final or higher.
Overview
io.undertow:undertow-core is a Java web server based on non-blocking IO.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can disrupt service availability by repeatedly sending AJP requests that exceed the configured max-header-size attribute in ajp-listener, leading to the server closing the TCP connection without returning an AJP response.
Note:
This is only exploitable if the max-header-size is set to 64 KB or less.