Vulnerabilities

 2 via 6 paths

Dependencies

 26

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 2
Status
  • 2
  • 0
  • 0

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: io.vertx:vertx-core
  • Introduced through: io.vertx:vertx-core@4.5.23, io.vertx:vertx-web@4.5.23 and others

Detailed paths

  • Introduced through: Stwissel/vertx-sfdc-platformevents@Stwissel/vertx-sfdc-platformevents io.vertx:vertx-core@4.5.23
    Remediation: Upgrade to io.vertx:vertx-core@4.5.27.
  • Introduced through: Stwissel/vertx-sfdc-platformevents@Stwissel/vertx-sfdc-platformevents io.vertx:vertx-web@4.5.23 io.vertx:vertx-bridge-common@4.5.23 io.vertx:vertx-core@4.5.23
    Remediation: Upgrade to io.vertx:vertx-web@4.5.27.
  • Introduced through: Stwissel/vertx-sfdc-platformevents@Stwissel/vertx-sfdc-platformevents io.vertx:vertx-web-client@4.5.23 io.vertx:vertx-uri-template@4.5.23 io.vertx:vertx-core@4.5.23
    Remediation: Upgrade to io.vertx:vertx-web-client@4.5.27.

Overview

io.vertx:vertx-core is a tool-kit for building reactive applications on the JVM.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the TLS handshake process, where the SslContext cache can be forced to grow indefinitely. The SSLHelper, SslChannelProvider, and SslContextProvider classes responsible for this caching in different versions all exhibit the same vulnerable behavior. A malicious client can disrupt service by sending a large number of distinct valid SNI names. This is particularly likely when the server has a broad hostname rule such as a wildcard.

Remediation

Upgrade io.vertx:vertx-core to version 4.5.27, 5.0.12 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: io.vertx:vertx-core
  • Introduced through: io.vertx:vertx-core@4.5.23, io.vertx:vertx-web@4.5.23 and others

Detailed paths

  • Introduced through: Stwissel/vertx-sfdc-platformevents@Stwissel/vertx-sfdc-platformevents io.vertx:vertx-core@4.5.23
    Remediation: Upgrade to io.vertx:vertx-core@4.5.24.
  • Introduced through: Stwissel/vertx-sfdc-platformevents@Stwissel/vertx-sfdc-platformevents io.vertx:vertx-web@4.5.23 io.vertx:vertx-bridge-common@4.5.23 io.vertx:vertx-core@4.5.23
    Remediation: Upgrade to io.vertx:vertx-web@4.5.24.
  • Introduced through: Stwissel/vertx-sfdc-platformevents@Stwissel/vertx-sfdc-platformevents io.vertx:vertx-web-client@4.5.23 io.vertx:vertx-uri-template@4.5.23 io.vertx:vertx-core@4.5.23
    Remediation: Upgrade to io.vertx:vertx-web-client@4.5.24.

Overview

io.vertx:vertx-core is a tool-kit for building reactive applications on the JVM.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper handling of / in the output buffer by removeDots() function in Static Handler. An attacker can prevent access to static files by sending specifically crafted request URIs that exploit improper handling of encoded path traversal sequences.

Workaround

This vulnerability can be mitigated by disabling the Static Handler cache.

Remediation

Upgrade io.vertx:vertx-core to version 4.5.24 or higher.

References

HTTP Request Smuggling vulnerability report