CVE-2021-21293

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

Denial Of Service (DoS)

blaze-core is vulnerable to denial of service DoS. The vulnerability exists through the unbounded connection acceptance in the NIO1SocketServerGroup that leads to the exhaustion of file handles...

CVE-2021-21294

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

CVE-2021-21294

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

Design/Logic Flaw

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

Unbounded connection acceptance in http4s-blaze-server

Impact blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an...

Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

GHSA-XMW9-Q7X9-J5QC Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

ch.j3t:zio-prefetcher_2.12 (>=0.3.0 <=0.6.0), com.47deg:embedded-cassandra-core_2.12 (=0.0.7) +171 more potentially affected by CVE-2021-21293 +1 more via org.http4s:blaze-core_2.12 (>=0.12.10 <=0.14.14)

org.http4s:blaze-core2.12 MAVEN version =0.12.10, =0.3.0, =0.22.0, =0.13.2, =0.2.6, =0.3.0, =0.18.1, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.5.6 - com.azavea.geotrellis:geotrellis-stac-example2.12 =4.3.0 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory:...

ch.j3t:zio-prefetcher_2.13 (>=0.3.0 <=0.6.0), com.47deg:github4s_2.13 (>=0.22.0 <=0.24.0) +107 more potentially affected by CVE-2021-21293 +1 more via org.http4s:blaze-core_2.13 (>=0.14.10 <=0.14.14)

org.http4s:blaze-core2.13 MAVEN version =0.14.10, =0.3.0, =0.22.0, =0.2.0, =0.18.0, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.0.7-M1, =0.0.6, =0.0.6, =0.0.39, =0.0.39, =0.1.0.1 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory: OSV:GHSA-XMW9-Q7X9-J5QC...

com.criteo.cuttle:cron_2.11 (>=0.5.1 <=0.9.12), com.criteo.cuttle:cuttle_2.11 (>=0.5.1 <=0.9.12) +78 more potentially affected by CVE-2021-21293 +1 more via org.http4s:blaze-core_2.11 (>=0.10.0 <=0.14.14)

org.http4s:blaze-core2.11 MAVEN version =0.10.0, =0.5.1, =0.5.1, =0.5.1, =0.11.0, =0.11.0, =0.11.0, =0.12.7, =0.12.7, =0.12.7, =0.14.1, =0.16.0, =0.16.0, =0.12.7, =0.0.3, =0.0.7, =0.1.0 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory: OSV:GHSA-XMW9-Q7X9-J5QC...

CVE-2021-21293 Unbounded connection acceptance leads to file handle exhaustion

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

PT-2021-14396 · Unknown +2 · Blaze-Core +5

Name of the Vulnerable Software and Affected Versions: http4s versions prior to 0.21.17 http4s versions prior to 0.22.0-M2 http4s versions prior to 1.0.0-M14 Description: The issue is related to the blaze-core library, which accepts connections unboundedly on its selector pool. This can lead to a...

PT-2021-14395 · Unknown +1 · Blaze-Core +5

Name of the Vulnerable Software and Affected Versions: blaze-core versions prior to 0.14.15 http4s-blaze-server versions prior to 0.21.17 Description: The issue is caused by unbounded connection acceptance in blaze-core, leading to file handle exhaustion. This can amplify degradation in services...