CVE-2024-5971

A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/5xxx/CVE-2024-5971.json",
    "cna_assigner": "redhat",
    "cwe_ids": [
        "CWE-674"
    ]
}

References

Affected packages

Git / github.com/undertow-io/undertow

Affected ranges

Type

GIT

Repo

https://github.com/undertow-io/undertow

Events

Introduced

Fixed

1ab726d45e67afcaf6bd756107ddaeead6046065

Introduced

b2bcc75afc25d66c863b39000d819ce6fb758a66

Fixed

3179d792f0f0fb28398c648fca1f9f4f2853bce8

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.34.Final"
        },
        {
            "introduced": "2.3.0.Alpha1"
        },
        {
            "fixed": "2.3.15.Final"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

1.*

1.0.0.Alpha1

1.0.0.Alpha10

1.0.0.Alpha11

1.0.0.Alpha12

1.0.0.Alpha13

1.0.0.Alpha14

1.0.0.Alpha15

1.0.0.Alpha16

1.0.0.Alpha17

1.0.0.Alpha18

1.0.0.Alpha19

1.0.0.Alpha2

1.0.0.Alpha20

1.0.0.Alpha21

1.0.0.Alpha22

1.0.0.Alpha3

1.0.0.Alpha4

1.0.0.Alpha5

1.0.0.Alpha6

1.0.0.Alpha7

1.0.0.Alpha8

1.0.0.Alpha9

1.0.0.Beta1

1.0.0.Beta10

1.0.0.Beta11

1.0.0.Beta12

1.0.0.Beta13

1.0.0.Beta14

1.0.0.Beta15

1.0.0.Beta16

1.0.0.Beta17

1.0.0.Beta18

1.0.0.Beta19

1.0.0.Beta2

1.0.0.Beta20

1.0.0.Beta21

1.0.0.Beta22

1.0.0.Beta23

1.0.0.Beta24

1.0.0.Beta25

1.0.0.Beta26

1.0.0.Beta27

1.0.0.Beta28

1.0.0.Beta29

1.0.0.Beta3

1.0.0.Beta30

1.0.0.Beta31

1.0.0.Beta32

1.0.0.Beta33

1.0.0.Beta4

1.0.0.Beta5

1.0.0.Beta6

1.0.0.Beta7

1.0.0.Beta8

1.0.0.Beta9

1.0.0.CR1

1.0.0.CR2

1.0.0.CR3

1.0.0.CR4

1.0.0.Final

1.0.1.Final

1.0.2.Final

1.0.3.Final

1.1.0.Beta1

1.1.0.Beta2

1.1.0.Beta3

1.1.0.Beta4

1.1.0.Beta5

1.1.0.Beta6

1.1.0.Beta7

1.1.0.Beta8

1.2.0.Beta1

1.2.0.Beta10

1.2.0.Beta2

1.2.0.Beta3

1.2.0.Beta4

1.2.0.Beta5

1.2.0.Beta6

1.2.0.Beta7

1.2.0.Beta8

1.2.0.Beta9

1.2.0.CR1

1.2.0.Final

1.2.1.Final

1.2.2.Final

1.2.3.Final

1.2.4.Final

1.3.0.Beta1

1.3.0.Beta10

1.3.0.Beta11

1.3.0.Beta12

1.3.0.Beta13

1.3.0.Beta2

1.3.0.Beta3

1.3.0.Beta4

1.3.0.Beta5

1.3.0.Beta6

1.3.0.Beta7

1.3.0.Beta8

1.3.0.Beta9

1.3.0.CR1

1.3.0.CR2

1.3.0.CR3

1.3.0.Final

1.3.1.Final

1.3.2.Final

1.3.3.Final

2.*

2.0.0.Alpha1

2.0.0.Beta1

2.0.0.Final

2.0.1.Final

2.0.10.Final

2.0.11.Final

2.0.12.Final

2.0.13.Final

2.0.14.Final

2.0.15.Final

2.0.16.Final

2.0.17.Final

2.0.2.Final

2.0.20.Final

2.0.21.Final

2.0.22.Final

2.0.23.Final

2.0.24.Final

2.0.25.Final

2.0.26.Final

2.0.27.Final

2.0.28.Final

2.0.29.Final

2.0.3.Final

2.0.4.Final

2.0.5.Final

2.0.6.Final

2.0.7.Final

2.0.8.Final

2.0.9.Final

2.1.0.Final

2.1.1.Final

2.1.2.Final

2.1.3.Final

2.1.4.Final

2.2.0.Final

2.2.1.Final

2.2.10.Final

2.2.11.Final

2.2.12.Final

2.2.13.Final

2.2.14.Final

2.2.15.Final

2.2.16.Final

2.2.17.Final

2.2.18.Final

2.2.19.Final

2.2.2.Final

2.2.20.Final

2.2.21.Final

2.2.22.Final

2.2.23.Final

2.2.24.Final

2.2.25.Final

2.2.26.Final

2.2.27.Final

2.2.28.Final

2.2.3.Final

2.2.30.Final

2.2.31.Final

2.2.32.Final

2.2.33.Final

2.2.4.Final

2.2.5.Final

2.2.6.Final

2.2.7.Final

2.2.8.Final

2.2.9.Final

2.3.0.Alpha1

2.3.0.Alpha2

2.3.0.Beta1

2.3.0.Final

2.3.1.Final

2.3.10.Final

2.3.11.Final

2.3.12.Final

2.3.13.Final

2.3.14.Final

2.3.2.Final

2.3.3.Final

2.3.4.Final

2.3.5.Final

2.3.6.Final

2.3.7.Final

2.3.8.Final

2.3.9.Final

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-5971.json"