Description

The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

Remediation

References

https://github.com/eclipse/milo/issues/1030

https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5

https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191

https://github.com/eclipse/milo/pull/1031

Related Vulnerabilities

CVE-2022-41932 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2022-24721 Vulnerability in maven package org.cometd.java:cometd-java-oort

CVE-2018-1131 Vulnerability in maven package org.infinispan:infinispan-core

CVE-2022-28366 Vulnerability in maven package net.sourceforge.nekohtml:nekohtml

CVE-2023-29019 Vulnerability in npm package @fastify/passport

Severity

High

Classification

CWE-770 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Patch Third Party Advisory