Lucene search

GoogleOSV:GHSA-G76F-GJFX-4RPR

HistorySep 04, 2024 - 6:30 p.m.

Vertx gRPC server does not limit the maximum message size

2024-09-0418:30:58

Google

osv.dev

vertx

grpc server

maximum message size

security issue

version 4.3.0

version 4.5.9

maven gav

io.vertx:vertx-grpc-server

io.vertx:vertx-grpc-client

fix

version 4.5.10

grpc-java

netty libraries.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N

AI Score

6.7

Confidence

High

EPSS

Percentile

14.0%

JSON

In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).

This is fixed in the 4.5.10 version.

Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)

References

github.com/eclipse-vertx/vertx-grpc

github.com/eclipse-vertx/vertx-grpc/commit/a76b14a92410c89fcc590c5852d800b565916ccf

github.com/eclipse-vertx/vertx-grpc/issues/113

gitlab.eclipse.org/security/cve-assignement/-/issues/31

nvd.nist.gov/vuln/detail/CVE-2024-8391

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:N

AI Score

6.7

Confidence

High

EPSS

Percentile

14.0%

JSON

Related for OSV:GHSA-G76F-GJFX-4RPR