CVE-2022-1319
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 31 Aug 2022, 00:00
Last modified:03 Aug 2024, 00:03
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
1.19% LOW
1% probability +0.56%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
31 Aug 2022, 00:00
Published
Vulnerability first disclosed
03 Aug 2024, 00:03
Last Modified
Vulnerability information updated
Description
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 1.19%• Percentile: 79%
Techniques & Countermeasures
- CWE-252•Unchecked Return Value
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Affected Systems
- netapp•active_iq_unified_manager
na
- netapp•cloud_secure_agent
na
- netapp•oncommand_insight
na
- netapp•oncommand_workflow_automation
na
- redhat•openshift_application_runtimes
na
- redhat•single_sign-on
7.0
- redhat•undertow
< 2.2.17 | 2.2.17 | 2.2.17:sp1 | 2.2.17:sp2 | 2.2.19 | 2.2.19:sp1 | 2.3.0:alpha1
References (6)
- https://bugzilla.redhat.com/show_bug.cgi?id=2073890
- https://issues.redhat.com/browse/UNDERTOW-2060
- https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b
- https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3
- https://access.redhat.com/security/cve/CVE-2022-1319
- https://security.netapp.com/advisory/ntap-20221014-0006/