Description

The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

Remediation

References

https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5

https://github.com/eclipse/milo/issues/1030

https://github.com/eclipse/milo/pull/1031

https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191

Related Vulnerabilities

CVE-2021-36774 Vulnerability in maven package org.apache.kylin:kylin-core-common

CVE-2021-21290 Vulnerability in maven package io.netty:netty-transport-native-unix-common-tests

CVE-2020-26291 Vulnerability in maven package org.webjars.npm:urijs

CVE-2022-39382 Vulnerability in npm package @keystone-6/core

CVE-2021-43138 Vulnerability in maven package org.webjars.bowergithub.caolan:async

Severity

High

Classification

CWE-770 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Third Party Advisory Issue Tracking