CVE-2021-21293

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

com.avast:sst-app-monix_3 (>=0.17.0 <=0.19.3), com.avast:sst-app-zio_3 (>=0.17.0 <=0.19.3) +23 more potentially affected by CVE-2021-41084 via org.http4s:http4s-server_3 (>=0.22.0 <=0.22.4)

org.http4s:http4s-server3 MAVEN version =0.22.0, =0.17.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.16.0, =0.17.0, =0.17.0, =0.16.0, =0.16.0, =0.18.1, =0.22.0, =0.22.0, =0.22.15 and more Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

io.github.jmcardon:tsec-http4s_2.13.0-M5 (>=0.1.0 <=0.1.0-M4), org.http4s:http4s-blaze-server_2.13.0-M5 (>=0.20.0 <=0.20.10) +3 more potentially affected by CVE-2021-41084 via org.http4s:http4s-server_2.13.0-M5 (>=0.20.0-RC1 <=0.20.9)

org.http4s:http4s-server2.13.0-M5 MAVEN version =0.20.0-RC1, =0.1.0, =0.20.0, =0.20.0, =0.20.0, =0.20.0, =0.20.10 Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

Design/Logic Flaw

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

Design/Logic Flaw

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

com.akolov:doorman-core_2.12 (=0.0.5), com.akolov:doorman_2.12 (>=0.3.0 <=0.4.0) +101 more potentially affected by CVE-2021-21293 +1 more via org.http4s:http4s-blaze-server_2.12 (>=0.15.0a <=0.21.16)

org.http4s:http4s-blaze-server2.12 MAVEN version =0.15.0a, =0.3.0, =0.18.3, =0.1.4, =0.1.4, =0.1.4, =0.1.4, =0.0.13, =0.0.13, =0.0.13, =0.0.13, =0.0.32, =0.0.13, =0.0.38, =0.0.42 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory: OSV:GHSA-XHV5-W9C5-2R2W...

GHSA-XHV5-W9C5-2R2W Unbounded connection acceptance in http4s-blaze-server

Impact blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an...

com.akolov:doorman_2.13 (>=0.2.0 <=0.4.0), com.avast.grpc:grpc-json-bridge-http4s_2.13 (>=0.18.3 <=0.18.4) +56 more potentially affected by CVE-2021-21293 +1 more via org.http4s:http4s-blaze-server_2.13 (>=0.21.0-M1 <=0.21.16)

org.http4s:http4s-blaze-server2.13 MAVEN version =0.21.0-M1, =0.2.0, =0.18.3, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.0.7-M1, =0.0.7-M1, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.42 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory: OSV:GHSA-XHV5-W9C5-2...

Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

GHSA-XMW9-Q7X9-J5QC Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

CVE-2021-21294 Unbounded connection acceptance in http4s-blaze-server

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

CVE-2021-21294

The CVE-2021-21294 issue affects http4s-blaze-server (BlazeCore) where the server accepts connections unboundedly on its selector pool, potentially exhausting OS resources and undermining circuit breakers. Affected: http4s-blaze-server variants prior to 0.21.17, 0.22.0-M2, and 1.0.0-M14; underlyi...

CVE-2021-21293 Unbounded connection acceptance leads to file handle exhaustion

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

PT-2021-14395 · Unknown +1 · Blaze-Core +5

Name of the Vulnerable Software and Affected Versions: blaze-core versions prior to 0.14.15 http4s-blaze-server versions prior to 0.21.17 Description: The issue is caused by unbounded connection acceptance in blaze-core, leading to file handle exhaustion. This can amplify degradation in services...