{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8391", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2024-09-03T12:39:46.456Z", "datePublished": "2024-09-04T15:27:58.478Z", "dateUpdated": "2024-09-04T17:40:20.318Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "io.vertx:vertx-grpc-server", "product": "Eclipse Vert.x", "repo": "https://github.com/eclipse-vertx/vertx-grpc", "vendor": "Eclipse Foundation", "versions": [{"lessThan": "4.5.10", "status": "affected", "version": "4.3.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div></div><div>In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).&nbsp;</div><div><br></div><div>This is fixed in the 4.5.10 version.&nbsp;</div><div><br></div><div>Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)</div><div><br></div>"}], "value": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00a0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-09-04T17:40:20.318Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"}, {"url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"}], "source": {"discovery": "UNKNOWN"}, "title": "Eclipse Vert.x gRPC server does not limit the maximum message size", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "eclipse_foundation", "product": "vert.x", "cpes": ["cpe:2.3:a:eclipse_foundation:vert.x:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.3.0", "status": "affected", "lessThan": "4.5.10", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T15:52:09.291594Z", "id": "CVE-2024-8391", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:58:44.725Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T15:52:09.291594Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:eclipse_foundation:vert.x:*:*:*:*:*:*:*:*"], "vendor": "eclipse_foundation", "product": "vert.x", "versions": [{"status": "affected", "version": "4.3.0", "lessThan": "4.5.10", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T15:58:33.500Z"}}], "cna": {"title": "Eclipse Vert.x gRPC server does not limit the maximum message size", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eclipse-vertx/vertx-grpc", "vendor": "Eclipse Foundation", "product": "Eclipse Vert.x", "versions": [{"status": "affected", "version": "4.3.0", "lessThan": "4.5.10", "versionType": "semver"}], "packageName": "io.vertx:vertx-grpc-server", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"}, {"url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00a0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)", "supportingMedia": [{"type": "text/html", "value": "<div></div><div>In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).&nbsp;</div><div><br></div><div>This is fixed in the 4.5.10 version.&nbsp;</div><div><br></div><div>Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)</div><div><br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2024-09-04T17:40:20.318Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8391", "state": "PUBLISHED", "dateUpdated": "2024-09-04T17:40:20.318Z", "dateReserved": "2024-09-03T12:39:46.456Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2024-09-04T15:27:58.478Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:vert.x:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A26F841-8F44-472F-B3CA-561D561DF1F4", "versionEndExcluding": "4.5.10", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\n\n\n\n\nThis is fixed in the 4.5.10 version.\u00a0\n\n\n\n\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)"}, {"lang": "es", "value": "En las versiones 4.3.0 a 4.5.9 de Eclipse Vert.x, el servidor gRPC no limita la longitud m\u00e1xima del payload del mensaje (GAV de Maven: io.vertx:vertx-grpc-server y io.vertx:vertx-grpc-client). Esto se solucion\u00f3 en la versi\u00f3n 4.5.10. Tenga en cuenta que esto no afecta a las librer\u00edas grpc-java y Netty basadas en el servidor gRPC de Vert.x (GAV de Maven: io.vertx:vertx-grpc)"}], "id": "CVE-2024-8391", "lastModified": "2024-09-12T16:44:01.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2024-09-04T16:15:09.253", "references": [{"source": "emo@eclipse.org", "tags": ["Issue Tracking"], "url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113"}, {"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "emo@eclipse.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "io.vertx/vertx-grpc-client", "product_name": "Red Hat build of Apache Camel for Quarkus", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "io.vertx/vertx-grpc-server", "product_name": "Red Hat build of Apache Camel for Quarkus", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6437", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "package": "io.vertx/vertx-grpc-client:4.5.7.redhat-00003", "product_name": "Red Hat build of Quarkus 3.8.6.redhat", "release_date": "2024-09-23T00:00:00Z"}, {"advisory": "RHSA-2024:6437", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "package": "io.vertx/vertx-grpc-server:4.5.7.redhat-00003", "product_name": "Red Hat build of Quarkus 3.8.6.redhat", "release_date": "2024-09-23T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.34.0-2", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-management-console-rhel8:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-operator-bundle:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-rhel8-operator:1.34.0-5", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-swf-builder-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:8023", "cpe": "cpe:/a:redhat:openshift_serverless:1.34::el8", "package": "openshift-serverless-1/logic-swf-devmode-rhel8:1.34.0-6", "product_name": "RHOSS-1.34-RHEL-8", "release_date": "2024-10-14T00:00:00Z"}], "bugzilla": {"description": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size", "id": "2309758", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-770", "details": ["In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).\u00a0\nThis is fixed in the 4.5.10 version.\u00a0\nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)", "A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8391", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "io.vertx/vertx-grpc-server", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Under investigation", "package_name": "io.vertx.vertx-grpc-server", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Will not fix", "package_name": "io.vertx/vertx-grpc-client", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Will not fix", "package_name": "io.vertx/vertx-grpc-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Under investigation", "package_name": "vertx-grpc-client-4.4.8.redhat", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "io.vertx/vertx-grpc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-09-04T16:15:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8391\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8391\nhttps://github.com/eclipse-vertx/vertx-grpc/issues/113\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/31"], "threat_severity": "Moderate"}