Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

None

Attack Vector

Network

0

CVE-2023-3171

Disclosure Date: December 27, 2023 •

CVE-2023-3171 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

OS

Unknown

Vulnerable Versions

EAP 7.4.13 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 not down converted

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

redhat

Products

jboss enterprise application platform -,
jboss enterprise application platform 7.4

References

Canonical

CVE-2023-3171 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3171)

Miscellaneous

https://access.redhat.com/errata/RHSA-2023:5484

https://access.redhat.com/errata/RHSA-2023:5485

https://access.redhat.com/errata/RHSA-2023:5486

https://access.redhat.com/errata/RHSA-2023:5488

https://access.redhat.com/security/cve/CVE-2023-3171

https://bugzilla.redhat.com/show_bug.cgi?id=2213639

Rapid7

Technical Analysis