1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-V3H8-RW48-H4GR

[MAVEN:GHSA-V3H8-RW48-H4GR] Apache Geronimo Hash Collisions Cause DoS

Severity High
Affected Packages 1
Fixed Packages 1
CVEs 1
Info Packages References Vulnerabilities

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

Package Affected Version
pkg:maven/org.apache.geronimo/geronimo < 2.2.1
Package Fixed Version
pkg:maven/org.apache.geronimo/geronimo = 2.2.1
ID
MAVEN:GHSA-V3H8-RW48-H4GR
Severity
high
URL
https://github.com/advisories/GHSA-v3h8-rw48-h4gr
Published
2022-05-13T01:07:39
(2 years ago)
Modified
2024-01-15T19:14:56
(8 months ago)
Rights
Maven Security Team
Source # ID Name URL
https://nvd.nist.gov/vuln/detail/CVE-2011-5034
https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py
https://lists.apache.org/thread.html/r20957aa5962a48328f199e2373f408aeeae601a45dd5275a195e2b6e@%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/r360b70489bad65286b49ceb5303a849d2a7ec7d1292774a7259579e1@%3Cissues.karaf.apache.org%3E
https://lists.apache.org/thread.html/r3c541f019b74902e8e61d73e40ecc2837dfce1b744ad5546919b993c@%3Cissues.karaf.apache.org%3E
https://lists.apache.org/thread.html/r4fe6b5ff1d48e23337304fd5ac983d89328aecbd1fa198cfc966fbd7@%3Cdev.geronimo.apache.org%3E
https://lists.apache.org/thread.html/r653f633aa7b6ccbb8c338dbfcea7a00e4ae9d6f3e064a03cab8dc20d@%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/r67747af92035942c9c413bd8394acbb8a1ace5833c0177014c825bc2@%3Cissues.karaf.apache.org%3E
https://lists.apache.org/thread.html/r8dc1a0ae0e0cf9d2494b8cbd66562f99331c4cf635e7781850a9b9ba@%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/ra10015f6f3c3c88b7d813383554e87c06347fe163487148669189b8e@%3Cdev.geronimo.apache.org%3E
https://lists.apache.org/thread.html/ra1fe29f6399b68980f914d8613dee7f67d62a1a97722fe9cd56f4f5f@%3Cdev.geronimo.apache.org%3E
https://lists.apache.org/thread.html/rb0e85243d7268f1d7a1edb5e6c7df885dbd300acabaaf4cb0e880518@%3Cissues.karaf.apache.org%3E
https://lists.apache.org/thread.html/rdd67ea3e489134f653349fc2cb09828ac8462aa61dd776b505a3297a@%3Cissues.karaf.apache.org%3E
http://www.kb.cert.org/vuls/id/903934
http://www.ocert.org/advisories/ocert-2011-003.html
https://web.archive.org/web/20120105151644/http://www.nruns.com/_downloads/advisory28122011.pdf
https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
https://github.com/advisories/GHSA-v3h8-rw48-h4gr
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.apache.geronimo/geronimo org.apache.geronimo geronimo < 2.2.1
Fixed pkg:maven/org.apache.geronimo/geronimo org.apache.geronimo geronimo = 2.2.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date