FKIE_CVE-2024-1023

Vulnerability from fkie_nvd - Published: 2024-03-27 08:15 - Updated: 2024-11-25 03:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1662
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1706
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:2088
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:2833
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3527
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3989
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:4884
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-1023
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2260840
secalert@redhat.comhttps://github.com/eclipse-vertx/vert.x/issues/5078
secalert@redhat.comhttps://github.com/eclipse-vertx/vert.x/pull/5080
secalert@redhat.comhttps://github.com/eclipse-vertx/vert.x/pull/5082
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1662
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1706
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:2088
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:2833
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3527
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3989
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:4884
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2024-1023
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2260840
af854a3a-2127-422b-91ae-364da2661108https://github.com/eclipse-vertx/vert.x/issues/5078
af854a3a-2127-422b-91ae-364da2661108https://github.com/eclipse-vertx/vert.x/pull/5080
af854a3a-2127-422b-91ae-364da2661108https://github.com/eclipse-vertx/vert.x/pull/5082
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el kit de herramientas Eclipse Vert.x provoca una p\u00e9rdida de memoria debido al uso de estructuras de datos Netty FastThreadLocal. Espec\u00edficamente, cuando el cliente HTTP Vert.x establece conexiones con diferentes hosts, lo que desencadena la p\u00e9rdida de memoria. La filtraci\u00f3n se puede acelerar con un conocimiento \u00edntimo del tiempo de ejecuci\u00f3n, lo que permite a un atacante explotar esta vulnerabilidad. Por ejemplo, un servidor que acepte direcciones de Internet arbitrarias podr\u00eda servir como vector de ataque al conectarse a estas direcciones, acelerando as\u00ed la p\u00e9rdida de memoria."
    }
  ],
  "id": "CVE-2024-1023",
  "lastModified": "2024-11-25T03:15:09.013",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-27T08:15:38.140",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:1662"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:1706"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:2088"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:2833"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:3527"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:3989"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:4884"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1023"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/eclipse-vertx/vert.x/issues/5078"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/eclipse-vertx/vert.x/pull/5080"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/eclipse-vertx/vert.x/pull/5082"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:1662"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:1706"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:2088"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:2833"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:3527"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:3989"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:4884"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/security/cve/CVE-2024-1023"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260840"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/eclipse-vertx/vert.x/issues/5078"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/eclipse-vertx/vert.x/pull/5080"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/eclipse-vertx/vert.x/pull/5082"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.