VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-xvnt-qfb6-c7g6

Essentials
Severities (31)
References (35)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-xvnt-qfb6-c7g6
Aliases	CVE-2021-3690 GHSA-fj7c-vg2v-ccrm GMS-2022-2964
Summary	Undertow vulnerable to memory exhaustion due to buffer leak Buffer leak on incoming WebSocket PONG message(s) in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-400	Uncontrolled Resource Consumption
CWE-401	Missing Release of Memory after Effective Lifetime
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3690.json
cvssv3.1	7.5	https://access.redhat.com/security/cve/CVE-2021-3690
generic_textual	HIGH	https://access.redhat.com/security/cve/CVE-2021-3690
cvssv3.1	7.5	https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
generic_textual	HIGH	https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
epss	0.00557	https://api.first.org/data/v1/epss?cve=CVE-2021-3690
cvssv3.1	7.5	https://bugzilla.redhat.com/show_bug.cgi?id=1991299
generic_textual	HIGH	https://bugzilla.redhat.com/show_bug.cgi?id=1991299
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-fj7c-vg2v-ccrm
cvssv3.1	7.5	https://github.com/undertow-io/undertow
generic_textual	HIGH	https://github.com/undertow-io/undertow
cvssv3.1	7.5	https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
generic_textual	HIGH	https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
cvssv3.1	7.5	https://issues.redhat.com/browse/UNDERTOW-1935
generic_textual	HIGH	https://issues.redhat.com/browse/UNDERTOW-1935
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2021-3690
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2021-3690
cvssv3.1	7.5	https://www.mend.io/vulnerability-database/CVE-2021-3690
generic_textual	HIGH	https://www.mend.io/vulnerability-database/CVE-2021-3690

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3690.json
		https://access.redhat.com/security/cve/CVE-2021-3690
		https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3
		https://api.first.org/data/v1/epss?cve=CVE-2021-3690
		https://bugzilla.redhat.com/show_bug.cgi?id=1991299
		https://github.com/undertow-io/undertow
		https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877
		https://issues.redhat.com/browse/UNDERTOW-1935
		https://nvd.nist.gov/vuln/detail/CVE-2021-3690
		https://www.mend.io/vulnerability-database/CVE-2021-3690
cpe:2.3:a:redhat:fuse:1.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:fuse:1.0:::::::*
cpe:2.3:a:redhat:integration_camel_k:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:integration_camel_k:-:::::::*
cpe:2.3:a:redhat:integration_camel_quarkus:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:integration_camel_quarkus:-:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:-::::text-only:::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:jboss_enterprise_application_platform:-::::text-only:::
cpe:2.3:a:redhat:openshift_application_runtimes:-::::text-only:::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_application_runtimes:-::::text-only:::
cpe:2.3:a:redhat:single_sign-on:-::::text-only:::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:single_sign-on:-::::text-only:::
cpe:2.3:a:redhat:undertow::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:undertow::::::::
GHSA-fj7c-vg2v-ccrm		https://github.com/advisories/GHSA-fj7c-vg2v-ccrm
RHSA-2021:3216		https://access.redhat.com/errata/RHSA-2021:3216
RHSA-2021:3217		https://access.redhat.com/errata/RHSA-2021:3217
RHSA-2021:3218		https://access.redhat.com/errata/RHSA-2021:3218
RHSA-2021:3219		https://access.redhat.com/errata/RHSA-2021:3219
RHSA-2021:3425		https://access.redhat.com/errata/RHSA-2021:3425
RHSA-2021:3466		https://access.redhat.com/errata/RHSA-2021:3466
RHSA-2021:3467		https://access.redhat.com/errata/RHSA-2021:3467
RHSA-2021:3468		https://access.redhat.com/errata/RHSA-2021:3468
RHSA-2021:3471		https://access.redhat.com/errata/RHSA-2021:3471
RHSA-2021:3516		https://access.redhat.com/errata/RHSA-2021:3516
RHSA-2021:3534		https://access.redhat.com/errata/RHSA-2021:3534
RHSA-2021:3656		https://access.redhat.com/errata/RHSA-2021:3656
RHSA-2021:3658		https://access.redhat.com/errata/RHSA-2021:3658
RHSA-2021:3660		https://access.redhat.com/errata/RHSA-2021:3660
RHSA-2021:4767		https://access.redhat.com/errata/RHSA-2021:4767
RHSA-2021:5134		https://access.redhat.com/errata/RHSA-2021:5134
RHSA-2022:1029		https://access.redhat.com/errata/RHSA-2022:1029

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3690.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/security/cve/CVE-2021-3690

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/security/cve/cve-2021-3690#cve-cvss-v3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=1991299

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://issues.redhat.com/browse/UNDERTOW-1935

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-3690

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.mend.io/vulnerability-database/CVE-2021-3690

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.67127
EPSS Score	0.00557
Published At	June 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-01T12:25:32.663595+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-fj7c-vg2v-ccrm/GHSA-fj7c-vg2v-ccrm.json	36.1.3