1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-45XM-V8GQ-7JQX

[MAVEN:GHSA-45XM-V8GQ-7JQX] Excessive memory allocation

Severity Moderate
Affected Packages 1
Fixed Packages 1
CVEs 1
Info Packages References Vulnerabilities

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.

Package Affected Version
pkg:maven/io.vertx/vertx-core >= 3.0.0, < 3.5.4
Package Fixed Version
pkg:maven/io.vertx/vertx-core = 3.5.4
ID
MAVEN:GHSA-45XM-V8GQ-7JQX
Severity
moderate
URL
https://github.com/advisories/GHSA-45xm-v8gq-7jqx
Published
2018-10-17T16:19:59
(6 years ago)
Modified
2023-03-28T17:21:24
(17 months ago)
Rights
Maven Security Team
Source # ID Name URL
https://nvd.nist.gov/vuln/detail/CVE-2018-12541
https://github.com/eclipse-vertx/vert.x/issues/2648
https://access.redhat.com/errata/RHSA-2018:2946
https://bugs.eclipse.org/bugs/show_bug.cgi?id=539170
https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/r11789cd6d67ecca2d6f6bbb11e34495e68ee99287b6c59edf5b1a09c@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/r344235b1aea2f7fa2381495df1d77d02b595e3d7e4626e701f7c1062@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/r362835e6c7f34324ed24e318b363fcdd20cea91d0cea0b2e1164f73e@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r3da899890536af744dec897fbc561fd9810ac45e79a16164b53c31b2@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/r8db0431ecf93f2dd2128db5ddca897b33ba883b7f126648d6a9e4c47@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/re5ddabee26fbcadc7254d03a5a073d64080a9389adc9e452529664ed@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/r1af71105539fe01fcecb92d2ecd8eea56c515fb1c80ecab4df424553@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r79789a0afb184abd13a2c07016e6e7ab8e64331f332b630bf82a2eed@%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/rbdc279ecdb7ac496a03befb05a53605c4ce2b67e14f8f4df4cfa1203@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/reb3cc4f3e10264896a541813c0030ec9d9466ba9b722fe5d4adc91cd@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r01123837ffbfdf5809e0a4ac354ad546e4ca8f18df89ee5a10eeb81b@%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/r98dc06e2b1c498d0e9eb5038d8e1aefd24e411e50522e7082dd9e0b7@%3Ccommits.bookkeeper.apache.org%3E
https://github.com/eclipse-vertx/vert.x/commit/269a583330695d1418a4f5578f7169350b2e1332
https://github.com/advisories/GHSA-45xm-v8gq-7jqx
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/io.vertx/vertx-core io.vertx vertx-core >= 3.0.0 < 3.5.4
Fixed pkg:maven/io.vertx/vertx-core io.vertx vertx-core = 3.5.4
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date