Lucene search

[email protected]CVE-2022-25897

HistorySep 08, 2022 - 5:15 a.m.

CVE-2022-25897

2022-09-0805:15:00

CWE-770

[email protected]

web.nvd.nist.gov

cve-2022-25897

org.eclipse.milo

sdk-server

dos vulnerability

closesession

memory consumption

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.6 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

60.3%

JSON

The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

CPENameOperatorVersion
eclipse:miloeclipse milolt0.6.8

CPE	Name	Operator	Version
eclipse:milo	eclipse milo	lt	0.6.8

References

github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5

github.com/eclipse/milo/issues/1030

github.com/eclipse/milo/pull/1031

security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191

Social References

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.6 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

60.3%

JSON

Related for CVE-2022-25897

osv2 redhatcve1 veracode1 prion1 github1 redhat1