CVE-2024-8391 - Vulnerability Details

In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Eclipse	Vert.x
Eclipse Foundation	Vert.x
Redhat	Camel Quarkus Jboss Enterprise Application Platform Openshift Serverless Quarkus

Configuration 1 [-]

cpe:2.3:a:eclipse:vert.x:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 4 for Quarkus 3
io.vertx/vertx-grpc-client	cpe:/a:redhat:camel_quarkus:3.8	RHSA-2024:7052	2024-09-24T00:00:00Z
io.vertx/vertx-grpc-server	cpe:/a:redhat:camel_quarkus:3.8	RHSA-2024:7052	2024-09-24T00:00:00Z
Red Hat build of Quarkus 3.8.6.redhat
io.vertx/vertx-grpc-client:4.5.7.redhat-00003	cpe:/a:redhat:quarkus:3.8::el8	RHSA-2024:6437	2024-09-23T00:00:00Z
io.vertx/vertx-grpc-server:4.5.7.redhat-00003	cpe:/a:redhat:quarkus:3.8::el8	RHSA-2024:6437	2024-09-23T00:00:00Z
Red Hat JBoss EAP XP 5.0 Update 1.0
io.vertx/vertx-grpc	cpe:/a:redhat:jboss_enterprise_application_platform:8.0	RHSA-2025:0542	2025-01-21T00:00:00Z
RHOSS-1.34-RHEL-8
openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.34.0-6	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-data-index-postgresql-rhel8:1.34.0-6	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.34.0-5	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.34.0-6	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.34.0-2	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-management-console-rhel8:1.34.0-5	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-operator-bundle:1.34.0-5	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-rhel8-operator:1.34.0-5	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-swf-builder-rhel8:1.34.0-6	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z
openshift-serverless-1/logic-swf-devmode-rhel8:1.34.0-6	cpe:/a:redhat:openshift_serverless:1.34::el8	RHSA-2024:8023	2024-10-14T00:00:00Z

References

Link	Providers
https://github.com/eclipse-vertx/vertx-grpc/issues/113
https://gitlab.eclipse.org/security/cve-assignement/-/issues/31
https://nvd.nist.gov/vuln/detail/CVE-2024-8391
https://www.cve.org/CVERecord?id=CVE-2024-8391

History

Thu, 13 Feb 2025 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:8.0
Vendors & Products		Redhat jboss Enterprise Application Platform

Tue, 15 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Serverless
CPEs		cpe:/a:redhat:openshift_serverless:1.34::el8
Vendors & Products		Redhat openshift Serverless

Wed, 25 Sep 2024 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat camel Quarkus
CPEs		cpe:/a:redhat:camel_quarkus:3.8
Vendors & Products		Redhat camel Quarkus

Mon, 23 Sep 2024 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat quarkus
CPEs		cpe:/a:redhat:quarkus:3.8::el8
Vendors & Products		Redhat Redhat quarkus

Thu, 12 Sep 2024 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eclipse Eclipse vert.x
CPEs		cpe:2.3:a:eclipse:vert.x::::::::
Vendors & Products		Eclipse Eclipse vert.x
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 04 Sep 2024 21:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-8391 https://www.cve.org/CVERecord?id=CVE-2024-8391
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` threat_severity `Moderate`

Wed, 04 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eclipse Foundation Eclipse Foundation vert.x
CPEs		cpe:2.3:a:eclipse_foundation:vert.x::::::::
Vendors & Products		Eclipse Foundation Eclipse Foundation vert.x
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Description		In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)
Title		Eclipse Vert.x gRPC server does not limit the maximum message size
Weaknesses		CWE-770
References		https://github.com/eclipse-vertx/vertx-grpc/issues/113 https://gitlab.eclipse.org/security/cve-assignement/-/issues/31
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2024-09-04T15:27:58.478Z

Updated: 2024-09-04T17:40:20.318Z

Reserved: 2024-09-03T12:39:46.456Z

Link: CVE-2024-8391

Vulnrichment

Updated: 2024-09-04T15:58:33.500Z

NVD

Status : Analyzed

Published: 2024-09-04T16:15:09.253

Modified: 2024-09-12T16:44:01.247

Link: CVE-2024-8391

Redhat

Severity : Moderate

Publid Date: 2024-09-04T16:15:09Z

Links: CVE-2024-8391 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8391", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-09-03T12:39:46.456Z", "datePublished": "2024-09-04T15:27:58.478Z", "dateUpdated": "2024-09-04T17:40:20.318Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "io.vertx:vertx-grpc-server", "product": "Eclipse Vert.x", "repo": "https://github.com/eclipse-vertx/vertx-grpc", "vendor": "Eclipse Foundation", "versions": [{"lessThan": "4.5.10", "status": "affected", "version": "4.3.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div></div><div>In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). </div><div><br></div><div>This is fixed in the 4.5.10 version. </div><div><br></div><div>Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)</div><div><br></div>"}], "value": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00a0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-09-04T17:40:20.318Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"}, {"url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"}], "source": {"discovery": "UNKNOWN"}, "title": "Eclipse Vert.x gRPC server does not limit the maximum message size", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "eclipse_foundation", "product": "vert.x", "cpes": ["cpe:2.3:a:eclipse_foundation:vert.x:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.3.0", "status": "affected", "lessThan": "4.5.10", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T15:52:09.291594Z", "id": "CVE-2024-8391", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:58:44.725Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T15:52:09.291594Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:eclipse_foundation:vert.x:*:*:*:*:*:*:*:*"], "vendor": "eclipse_foundation", "product": "vert.x", "versions": [{"status": "affected", "version": "4.3.0", "lessThan": "4.5.10", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:58:33.500Z"}}], "cna": {"title": "Eclipse Vert.x gRPC server does not limit the maximum message size", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eclipse-vertx/vertx-grpc", "vendor": "Eclipse Foundation", "product": "Eclipse Vert.x", "versions": [{"status": "affected", "version": "4.3.0", "lessThan": "4.5.10", "versionType": "semver"}], "packageName": "io.vertx:vertx-grpc-server", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"}, {"url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00a0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)", "supportingMedia": [{"type": "text/html", "value": "<div></div><div>In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). </div><div><br></div><div>This is fixed in the 4.5.10 version. </div><div><br></div><div>Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)</div><div><br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-09-04T17:40:20.318Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8391", "state": "PUBLISHED", "dateUpdated": "2024-09-04T17:40:20.318Z", "dateReserved": "2024-09-03T12:39:46.456Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2024-09-04T15:27:58.478Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:vert.x:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A26F841-8F44-472F-B3CA-561D561DF1F4", "versionEndExcluding": "4.5.10", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00a0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)"}, {"lang": "es", "value": "En las versiones 4.3.0 a 4.5.9 de Eclipse Vert.x, el servidor gRPC no limita la longitud m\u00e1xima del payload del mensaje (GAV de Maven: io.vertx:vertx-grpc-server y io.vertx:vertx-grpc-client). Esto se solucion\u00f3 en la versi\u00f3n 4.5.10. Tenga en cuenta que esto no afecta a las librer\u00edas grpc-java y Netty basadas en el servidor gRPC de Vert.x (GAV de Maven: io.vertx:vertx-grpc)"}], "id": "CVE-2024-8391", "lastModified": "2024-09-12T16:44:01.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2024-09-04T16:15:09.253", "references": [{"source": "emo@eclipse.org", "tags": ["Issue Tracking"], "url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"}, {"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "impact": "moderate", "package": "io.vertx/vertx-grpc-client", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "impact": "moderate", "package": "io.vertx/vertx-grpc-server", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6437", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "impact": "moderate", "package": "io.vertx/vertx-grpc-client:4.5.7.redhat-00003", "product_name": "Red Hat build of Quarkus 3.8.6.redhat", "release_date": "2024-09-23T00:00:00Z"}, {"advisory": "RHSA-2024:6437", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "impact": "moderate", "package": "io.vertx/vertx-grpc-server:4.5.7.redhat-00003", "product_name": "Red Hat build of Quarkus 3.8.6.redhat", "release_date": "2024-09-23T00:00:00Z"}, {"advisory": "RHSA-2025:0542", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "io.vertx/vertx-grpc", "product_name": "Red Hat JBoss EAP XP 5.0 Update 1.0", "release_date": "2025-01-21T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.34.0-2", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-management-console-rhel8:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-operator-bundle:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-rhel8-operator:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-swf-builder-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "impact": "moderate", "package": "openshift-serverless-1/logic-swf-devmode-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}], "bugzilla": {"description": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size", "id": "2309758", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\nThis is fixed in the 4.5.10 version.\u00a0\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)", "A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8391", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "impact": "moderate", "package_name": "io.vertx/vertx-grpc-server", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Under investigation", "impact": "moderate", "package_name": "io.vertx.vertx-grpc-server", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Will not fix", "impact": "moderate", "package_name": "io.vertx/vertx-grpc-client", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Will not fix", "impact": "moderate", "package_name": "io.vertx/vertx-grpc-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Under investigation", "impact": "moderate", "package_name": "vertx-grpc-client-4.4.8.redhat", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "impact": "moderate", "package_name": "io.vertx/vertx-grpc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-09-04T16:15:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8391\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8391\nhttps://github.com/eclipse-vertx/vertx-grpc/issues/113\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/31"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object