Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.2.25.SP1, 2.3.9.Final, 2.2.27.Final, 2.2.26.SP1, 2.3.8.SP1
Affects Version/s: None
Component/s: Core
Labels:
None

Git Pull Request:
https://gitlab.cee.redhat.com/undertow-io/undertow/-/merge_requests/74, https://gitlab.cee.redhat.com/undertow-io/undertow/-/commit/99348adc40c7e33f35f3c167db1a14081a012322, https://gitlab.cee.redhat.com/undertow-io/undertow/-/commit/ff55aa5bb73c772048d7e8edce46875f0609abc5, https://github.com/undertow-io/undertow/pull/1521, https://github.com/undertow-io/undertow/pull/1523

There exists a security vulnerability in Undertow that can cause remote DoS attacks.

Servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a very large content.

causes

JBEAP-26413 [GSS](8.0.z) UNDERTOW-2337 - Multipart form-data larger than 16KiB is not available through Servlet getParameter API after EAP 7.4.12 (CVE-2023-3223 / UNDERTOW-2271 fix)

Verified

WFLY-18821 Wildfly 30: form with enctype="multipart/form-data" does not support large input data (16425 bytes)

Resolved

JBEAP-26355 [GSS](7.4.z) UNDERTOW-2337 - Multipart form-data larger than 16KiB is not available through Servlet getParameter API after EAP 7.4.12 (CVE-2023-3223 / UNDERTOW-2271 fix)

Closed

UNDERTOW-2337 Multipart form-data larger than 16KiB is not available through Servlet getParameter API

Closed

is incorporated by

WFCORE-6555 CVE-2023-3223 Upgrade Undertow to 2.3.9.Final

Resolved

relates to

UNDERTOW-2319 Move io.undertow.multipart.minsize property to UndertowOptions

Pull Request Sent

(1 relates to)

Assignee:: Lin Gao

Reporter:: Lin Gao

Involved:: Flavia Rainone

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2023/05/29 12:29 PM

Updated:: 2024/01/15 9:01 AM

Resolved:: 2023/06/06 4:09 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates