Description

The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

Remediation

References

https://github.com/eclipse/milo/issues/1030

https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5

https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191

https://github.com/eclipse/milo/pull/1031

Related Vulnerabilities

CVE-2022-39251 Vulnerability in npm package matrix-js-sdk

CVE-2022-39368 Vulnerability in maven package org.eclipse.californium:element-connector

CVE-2018-20676 Vulnerability in npm package bootstrap-sass

CVE-2016-3737 Vulnerability in maven package org.rhq:rhq-enterprise-comm

CVE-2022-21126 Vulnerability in maven package com.github.samtools:htsjdk

Severity

High

Classification

CWE-770 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Patch Third Party Advisory