Search for vulnerabilities
Vulnerability details: VCID-k7es-gamy-ybe9
Vulnerability ID VCID-k7es-gamy-ybe9
Aliases CVE-2021-3690
GHSA-fj7c-vg2v-ccrm
GMS-2022-2964
Summary Undertow vulnerable to memory exhaustion due to buffer leak Buffer leak on incoming WebSocket PONG message(s) in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-401 Missing Release of Memory after Effective Lifetime
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3690.json
cvssv3.1 7.5 https://access.redhat.com/security/cve/CVE-2021-3690
generic_textual HIGH https://access.redhat.com/security/cve/CVE-2021-3690
cvssv3.1 7.5 https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
generic_textual HIGH https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
epss 0.00325 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00355 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00355 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00355 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00355 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00355 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00357 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss 0.00557 https://api.first.org/data/v1/epss?cve=CVE-2021-3690
cvssv3.1 7.5 https://bugzilla.redhat.com/show_bug.cgi?id=1991299
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=1991299
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-fj7c-vg2v-ccrm
cvssv3.1 7.5 https://github.com/undertow-io/undertow
generic_textual HIGH https://github.com/undertow-io/undertow
cvssv3.1 7.5 https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
generic_textual HIGH https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
cvssv3.1 7.5 https://issues.redhat.com/browse/UNDERTOW-1935
generic_textual HIGH https://issues.redhat.com/browse/UNDERTOW-1935
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-3690
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-3690
cvssv3.1 7.5 https://www.mend.io/vulnerability-database/CVE-2021-3690
generic_textual HIGH https://www.mend.io/vulnerability-database/CVE-2021-3690
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3690.json
https://access.redhat.com/security/cve/CVE-2021-3690
https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
https://api.first.org/data/v1/epss?cve=CVE-2021-3690
https://bugzilla.redhat.com/show_bug.cgi?id=1991299
https://github.com/undertow-io/undertow
https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
https://issues.redhat.com/browse/UNDERTOW-1935
https://nvd.nist.gov/vuln/detail/CVE-2021-3690
https://www.mend.io/vulnerability-database/CVE-2021-3690
cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*
GHSA-fj7c-vg2v-ccrm https://github.com/advisories/GHSA-fj7c-vg2v-ccrm
RHSA-2021:3216 https://access.redhat.com/errata/RHSA-2021:3216
RHSA-2021:3217 https://access.redhat.com/errata/RHSA-2021:3217
RHSA-2021:3218 https://access.redhat.com/errata/RHSA-2021:3218
RHSA-2021:3219 https://access.redhat.com/errata/RHSA-2021:3219
RHSA-2021:3425 https://access.redhat.com/errata/RHSA-2021:3425
RHSA-2021:3466 https://access.redhat.com/errata/RHSA-2021:3466
RHSA-2021:3467 https://access.redhat.com/errata/RHSA-2021:3467
RHSA-2021:3468 https://access.redhat.com/errata/RHSA-2021:3468
RHSA-2021:3471 https://access.redhat.com/errata/RHSA-2021:3471
RHSA-2021:3516 https://access.redhat.com/errata/RHSA-2021:3516
RHSA-2021:3534 https://access.redhat.com/errata/RHSA-2021:3534
RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656
RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658
RHSA-2021:3660 https://access.redhat.com/errata/RHSA-2021:3660
RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3690.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/security/cve/CVE-2021-3690
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=1991299
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://issues.redhat.com/browse/UNDERTOW-1935
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-3690
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.mend.io/vulnerability-database/CVE-2021-3690
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.54938
EPSS Score 0.00325
Published At Sept. 25, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:05:12.159128+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-fj7c-vg2v-ccrm/GHSA-fj7c-vg2v-ccrm.json 37.0.0