GoogleOSV:GHSA-GCJ9-JJ38-HWMCVapor's Metrics integration could cause a system drain
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
51.9%
Impact
This is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app with the following attack vector:
- send unlimited requests against a vapor instance with different paths. this will create “unlimited” counters and timers, which will eventually drain the system.
- downstream services might suffer from this attack as well by being spammed with error paths
Patches
This has been patched in 4.40.1. The DefaultResponder will rewrite any undefined route paths for to vapor_route_undefined to avoid unlimited counters.
Workarounds
Don’t bootstrap a metrics system or upgrade to 4.40.1
For more information
If you have any questions or comments about this advisory:
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
51.9%