CVE-2023-5379

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
redhatCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
redhatjboss_enterprise_application_platform
-
redhatjboss_enterprise_application_platform
7.0.0
redhatsingle_sign-on
7.0
redhatundertow
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
undertow
sid
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
undertow
oracular
needs-triage
noble
needs-triage
mantic
dne
lunar
dne
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2023:4509
https://access.redhat.com/errata/RHSA-2025:9582
https://access.redhat.com/errata/RHSA-2025:9583
https://access.redhat.com/security/cve/CVE-2023-5379
https://bugzilla.redhat.com/show_bug.cgi?id=2242099
https://access.redhat.com/errata/RHSA-2023:4509
https://access.redhat.com/security/cve/CVE-2023-5379
https://bugzilla.redhat.com/show_bug.cgi?id=2242099