CVE-2021-21293

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

com.avast:sst-app-monix_3 (>=0.17.0 <=0.19.3), com.avast:sst-app-zio_3 (>=0.17.0 <=0.19.3) +23 more potentially affected by CVE-2021-41084 via org.http4s:http4s-server_3 (>=0.22.0 <=0.22.4)

org.http4s:http4s-server3 MAVEN version =0.22.0, =0.17.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.16.0, =0.17.0, =0.17.0, =0.16.0, =0.16.0, =0.18.1, =0.22.0, =0.22.0, =0.22.15 and more Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

io.github.jmcardon:tsec-http4s_2.13.0-M5 (>=0.1.0 <=0.1.0-M4), org.http4s:http4s-blaze-server_2.13.0-M5 (>=0.20.0 <=0.20.10) +3 more potentially affected by CVE-2021-41084 via org.http4s:http4s-server_2.13.0-M5 (>=0.20.0-RC1 <=0.20.9)

org.http4s:http4s-server2.13.0-M5 MAVEN version =0.20.0-RC1, =0.1.0, =0.20.0, =0.20.0, =0.20.0, =0.20.0, =0.20.10 Source cves: CVE-2021-41084 Source advisory: OSV:GHSA-5VCM-3XC3-W7X3...

com.avast:sst-app-monix_3 (>=0.17.0 <=0.19.3), com.avast:sst-app-zio_3 (>=0.17.0 <=0.19.3) +23 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_3 (>=0.22.0 <=0.22.2)

org.http4s:http4s-server3 MAVEN version =0.22.0, =0.17.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.17.0, =0.16.0, =0.16.0, =0.17.0, =0.17.0, =0.16.0, =0.16.0, =0.18.1, =0.22.0, =0.22.0, =0.22.15 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

Design/Logic Flaw

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

com.akolov:doorman_2.13 (>=0.2.0 <=0.4.0), com.avast.grpc:grpc-json-bridge-http4s_2.13 (>=0.18.3 <=0.18.4) +56 more potentially affected by CVE-2021-21293 +1 more via org.http4s:http4s-blaze-server_2.13 (>=0.21.0-M1 <=0.21.16)

org.http4s:http4s-blaze-server2.13 MAVEN version =0.21.0-M1, =0.2.0, =0.18.3, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.0.7-M1, =0.0.7-M1, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.42 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory: OSV:GHSA-XHV5-W9C5-2...

ch.j3t:zio-prefetcher_2.12 (>=0.3.0 <=0.6.0), com.47deg:embedded-cassandra-core_2.12 (=0.0.7) +146 more potentially affected by CVE-2021-21293 +1 more via org.http4s:blaze-core_2.12 (>=0.12.4 <=0.14.14)

org.http4s:blaze-core2.12 MAVEN version =0.12.4, =0.3.0, =0.22.0, =0.13.2, =0.2.6, =0.3.0, =0.18.1, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.1.13, =0.5.6 - com.azavea.geotrellis:geotrellis-stac-example2.12 =4.3.0 and more Source cves: CVE-2021-21293, CVE-2021-21294 Source advisory:...

Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

GHSA-XMW9-Q7X9-J5QC Unbounded connection acceptance leads to file handle exhaustion

Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...

CVE-2021-21293 Unbounded connection acceptance leads to file handle exhaustion

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

PT-2021-14395 · Unknown +1 · Blaze-Core +5

Name of the Vulnerable Software and Affected Versions: blaze-core versions prior to 0.14.15 http4s-blaze-server versions prior to 0.21.17 Description: The issue is caused by unbounded connection acceptance in blaze-core, leading to file handle exhaustion. This can amplify degradation in services...

Http4s Blaze Resource Management Error Vulnerability

Http4s Blaze is a java-based NIO codebase for processing network streams from the Http4s organization. A security vulnerability exists in Http4s Blaze that originates from accepting connections without restriction on a selector pool. The following products and versions are affected: Http4s before...

Http4s Blaze Resource Management Error Vulnerability

Http4s Blaze is a java-based NIO codebase for processing network streams from the Http4s organization. A resource management error vulnerability exists in Http4s Blaze that stems from the fact that unlimited connection acceptance will result in file handle exhaustion...