CVE-2021-21293

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

com.avast:sst-app-monix_3 (>=0.17.0 <=0.19.3), com.avast:sst-app-zio_3 (>=0.17.0 <=0.19.3) +23 more potentially affected by CVE-2021-41084 via org.http4s:http4s-server_3 (>=0.22.0 <=0.22.4)

org.http4s:http4s-server3 MAVEN version =0.22.0, =0.17.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.16.0, =0.17.0, =0.17.0, =0.16.0, =0.16.0, =0.18.1, =0.22.0, =0.22.0, =0.22.15 and more Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

io.github.jmcardon:tsec-http4s_2.13.0-M5 (>=0.1.0 <=0.1.0-M4), org.http4s:http4s-blaze-server_2.13.0-M5 (>=0.20.0 <=0.20.10) +3 more potentially affected by CVE-2021-41084 via org.http4s:http4s-server_2.13.0-M5 (>=0.20.0-RC1 <=0.20.9)

org.http4s:http4s-server2.13.0-M5 MAVEN version =0.20.0-RC1, =0.1.0, =0.20.0, =0.20.0, =0.20.0, =0.20.0, =0.20.10 Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

com.avast:sst-app-monix_3 (>=0.17.0 <=0.19.3), com.avast:sst-app-zio_3 (>=0.17.0 <=0.19.3) +23 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_3 (>=0.22.0 <=0.22.2)

org.http4s:http4s-server3 MAVEN version =0.22.0, =0.17.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.16.0, =0.17.0, =0.17.0, =0.16.0, =0.16.0, =0.18.1, =0.22.0, =0.22.0, =0.22.15 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

Design/Logic Flaw

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

com.akolov:doorman_2.13 (>=0.2.0 <=0.4.0), com.avast.grpc:grpc-json-bridge-http4s_2.13 (>=0.18.3 <=0.18.4) +56 more potentially affected by CVE-2021-21293 +1 more via org.http4s:http4s-blaze-server_2.13 (>=0.21.0-M1 <=0.21.16)

org.http4s:http4s-blaze-server2.13 MAVEN version =0.21.0-M1, =0.2.0, =0.18.3, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.0.7-M1, =0.0.7-M1, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.42 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory: OSV:GHSA-XHV5-W9C5-2...

Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

GHSA-XMW9-Q7X9-J5QC Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

ch.j3t:zio-prefetcher_2.12 (>=0.3.0 <=0.6.0), com.47deg:embedded-cassandra-core_2.12 (=0.0.7) +171 more potentially affected by CVE-2021-21293 +1 more via org.http4s:blaze-core_2.12 (>=0.12.10 <=0.14.14)

org.http4s:blaze-core2.12 MAVEN version =0.12.10, =0.3.0, =0.22.0, =0.13.2, =0.2.6, =0.3.0, =0.18.1, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.5.6 - com.azavea.geotrellis:geotrellis-stac-example2.12 =4.3.0 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory:...

CVE-2021-21293 Unbounded connection acceptance leads to file handle exhaustion

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

Http4s Blaze Resource Management Error Vulnerability

Http4s Blaze is a java-based NIO codebase for processing network streams from the Http4s organization. A resource management error vulnerability exists in Http4s Blaze that stems from the fact that unlimited connection acceptance will result in file handle exhaustion...

Http4s Blaze Resource Management Error Vulnerability

Http4s Blaze is a java-based NIO codebase for processing network streams from the Http4s organization. A security vulnerability exists in Http4s Blaze that originates from accepting connections without restriction on a selector pool. The following products and versions are affected: Http4s before...

PT-2021-14395 · Unknown +1 · Blaze-Core +5

Name of the Vulnerable Software and Affected Versions: blaze-core versions prior to 0.14.15 http4s-blaze-server versions prior to 0.21.17 Description: The issue is caused by unbounded connection acceptance in blaze-core, leading to file handle exhaustion. This can amplify degradation in services...