Search for vulnerabilities
Vulnerability details: VCID-dqbz-8afs-nucb
Vulnerability ID VCID-dqbz-8afs-nucb
Aliases CVE-2021-3859
GHSA-339q-62wm-c39w
GMS-2022-2963
Summary Undertow vulnerable to Denial of Service (DoS) attacks Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-214 Invocation of Process Using Visible Sensitive Information
CWE-400 Uncontrolled Resource Consumption
CWE-668 Exposure of Resource to Wrong Sphere
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3859.json
cvssv3.1 7.5 https://access.redhat.com/security/cve/cve-2021-3859
generic_textual HIGH https://access.redhat.com/security/cve/cve-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
epss 0.00191 https://api.first.org/data/v1/epss?cve=CVE-2021-3859
cvssv3.1 7.5 https://bugzilla.redhat.com/show_bug.cgi?id=2010378
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=2010378
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-339q-62wm-c39w
cvssv3.1 7.5 https://github.com/undertow-io/undertow
generic_textual HIGH https://github.com/undertow-io/undertow
cvssv3.1 7.5 https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8
generic_textual HIGH https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8
cvssv3.1 7.5 https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
generic_textual HIGH https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
cvssv3.1 7.5 https://github.com/undertow-io/undertow/pull/1296
generic_textual HIGH https://github.com/undertow-io/undertow/pull/1296
cvssv3.1 7.5 https://issues.redhat.com/browse/UNDERTOW-1979
generic_textual HIGH https://issues.redhat.com/browse/UNDERTOW-1979
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-3859
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-3859
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20221201-0004
generic_textual HIGH https://security.netapp.com/advisory/ntap-20221201-0004
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3859.json
https://access.redhat.com/security/cve/cve-2021-3859
https://api.first.org/data/v1/epss?cve=CVE-2021-3859
https://bugzilla.redhat.com/show_bug.cgi?id=2010378
https://github.com/undertow-io/undertow
https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8
https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
https://github.com/undertow-io/undertow/pull/1296
https://issues.redhat.com/browse/UNDERTOW-1979
https://nvd.nist.gov/vuln/detail/CVE-2021-3859
https://security.netapp.com/advisory/ntap-20221201-0004
https://security.netapp.com/advisory/ntap-20221201-0004/
1015983 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015983
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.4.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:7.4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.5.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:7.5.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
CVE-2021-3859 https://access.redhat.com/security/cve/CVE-2021-3859
GHSA-339q-62wm-c39w https://github.com/advisories/GHSA-339q-62wm-c39w
RHSA-2022:0400 https://access.redhat.com/errata/RHSA-2022:0400
RHSA-2022:0401 https://access.redhat.com/errata/RHSA-2022:0401
RHSA-2022:0404 https://access.redhat.com/errata/RHSA-2022:0404
RHSA-2022:0405 https://access.redhat.com/errata/RHSA-2022:0405
RHSA-2022:0406 https://access.redhat.com/errata/RHSA-2022:0406
RHSA-2022:0407 https://access.redhat.com/errata/RHSA-2022:0407
RHSA-2022:0408 https://access.redhat.com/errata/RHSA-2022:0408
RHSA-2022:0409 https://access.redhat.com/errata/RHSA-2022:0409
RHSA-2022:0410 https://access.redhat.com/errata/RHSA-2022:0410
RHSA-2022:0415 https://access.redhat.com/errata/RHSA-2022:0415
RHSA-2022:0447 https://access.redhat.com/errata/RHSA-2022:0447
RHSA-2022:0448 https://access.redhat.com/errata/RHSA-2022:0448
RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3859.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/security/cve/cve-2021-3859
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=2010378
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow/commit/db0f5be43f8e2a4b88fbedd2eb6d5a95a29ceaa8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow/pull/1296
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://issues.redhat.com/browse/UNDERTOW-1979
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-3859
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20221201-0004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.41434
EPSS Score 0.00191
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:25:23.513202+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-339q-62wm-c39w/GHSA-339q-62wm-c39w.json 36.1.3