CVE-2020-27782

Aliases:GHSA-rhcw-wjcm-9h6g

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2020-27782 RHSA-2021:0246 RHSA-2021:0247 RHSA-2021:0248 RHSA-2025:9582 UBUNTU-CVE-2020-27782

Modified

Published: 23 Feb 2021, 18:35

Last modified:04 Aug 2024, 16:25

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v2.0 (nvd)

EPSS Score

0.18% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

23 Feb 2021, 18:35

Published

Vulnerability first disclosed

04 Aug 2024, 16:25

Last Modified

Vulnerability information updated

Description

A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
v2.0•HIGH•Score: 7.8AV:N/AC:L/Au:N/C:N/I:N/A:C

EPSS Trends

Current EPSS score: 0.18%• Percentile: 40%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

debian•undertow
< 2.2.4-1
io.undertow•undertow-core
≥ 2.1.0, < 2.1.5 | < 2.0.33
redhat•jboss_fuse
6.0.0 | 7.0.0
redhat•openshift_application_runtimes
na
redhat•undertow
2.0.33:sp2 | 2.1.5:sp1 | 2.2.3:sp1