[MAVEN:GHSA-9PH3-V2VH-3QX7] Eclipse Vert.x vulnerable to a memory leak in TCP servers

Severity Moderate
Affected Packages 2
Fixed Packages 2
CVEs 1

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Package Affected Version
pkg:maven/io.vertx/vertx-core >= 4.5.0, < 4.5.3
pkg:maven/io.vertx/vertx-core >= 4.3.4, < 4.4.8
ID
MAVEN:GHSA-9PH3-V2VH-3QX7
Severity
moderate
URL
https://github.com/advisories/GHSA-9ph3-v2vh-3qx7
Published
2024-04-02T09:30:42
(3 weeks ago)
Modified
2024-04-02T16:15:48
(3 weeks ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/io.vertx/vertx-core io.vertx vertx-core >= 4.5.0 < 4.5.3
Fixed pkg:maven/io.vertx/vertx-core io.vertx vertx-core = 4.5.3
Affected pkg:maven/io.vertx/vertx-core io.vertx vertx-core >= 4.3.4 < 4.4.8
Fixed pkg:maven/io.vertx/vertx-core io.vertx vertx-core = 4.4.8
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...