{"containers": {"cna": {"affected": [{"product": "org.eclipse.milo:sdk-server", "vendor": "n/a", "versions": [{"lessThan": "0.6.8", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Vera Mens"}, {"lang": "en", "value": "Uri Katz"}, {"lang": "en", "value": "Sharon Brizinov of Team82 (Claroty Research)"}], "datePublic": "2022-09-08T00:00:00", "descriptions": [{"lang": "en", "value": "The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "NONE", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 5.6, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Denial of Service (DoS)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-08T05:05:12", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/eclipse/milo/pull/1031"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/eclipse/milo/issues/1030"}], "title": "Denial of Service (DoS)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-09-08T05:00:11.747866Z", "ID": "CVE-2022-25897", "STATE": "PUBLIC", "TITLE": "Denial of Service (DoS)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "org.eclipse.milo:sdk-server", "version": {"version_data": [{"version_affected": "<", "version_value": "0.6.8"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Vera Mens"}, {"lang": "eng", "value": "Uri Katz"}, {"lang": "eng", "value": "Sharon Brizinov of Team82 (Claroty Research)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service (DoS)"}]}]}, "references": {"reference_data": [{"name": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191", "refsource": "MISC", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"}, {"name": "https://github.com/eclipse/milo/pull/1031", "refsource": "MISC", "url": "https://github.com/eclipse/milo/pull/1031"}, {"name": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5", "refsource": "MISC", "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"}, {"name": "https://github.com/eclipse/milo/issues/1030", "refsource": "MISC", "url": "https://github.com/eclipse/milo/issues/1030"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.364Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/eclipse/milo/pull/1031"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/eclipse/milo/issues/1030"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25897", "datePublished": "2022-09-08T05:05:12.190707Z", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2024-09-16T17:49:20.074Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:milo:*:*:*:*:*:*:*:*", "matchCriteriaId": "21638D30-0B3C-4457-BEBC-022ACACE81A5", "versionEndExcluding": "0.6.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False."}, {"lang": "es", "value": "El paquete org.eclipse.milo:sdk-server versiones anteriores a 0.6.8, es vulnerable a una Denegaci\u00f3n de Servicio (DoS) al omitir las limitaciones por consumo excesivo de memoria mediante el env\u00edo de varias peticiones CloseSession con el par\u00e1metro deleteSubscription igual a False"}], "id": "CVE-2022-25897", "lastModified": "2022-09-13T20:17:37.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2022-09-08T05:15:07.410", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5"}, {"source": "report@snyk.io", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/eclipse/milo/issues/1030"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/eclipse/milo/pull/1031"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8902", "cpe": "cpe:/a:redhat:camel_spring_boot:3.18.3", "package": "org.eclipse.milo-sdk-server", "product_name": "RHINT Camel-Springboot 3.18.3", "release_date": "2022-12-08T00:00:00Z"}], "bugzilla": {"description": "sdk-server: Denial of Service", "id": "2136188", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136188"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.", "A flaw was found in the Eclipse Milo SDK Server. This flaw allows an attacker to consume the application memory, leading to a denial of service by sending specific requests."], "name": "CVE-2022-25897", "package_state": [{"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "org.eclipse.milo-sdk-server", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "org.eclipse.milo-sdk-server", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "org.eclipse.milo-sdk-serve", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2022-09-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-25897\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-25897"], "threat_severity": "Moderate", "upstream_fix": "sdk-server 0.6.8"}