GHSA-9f52-hpvw-v96w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9f52-hpvw-v96w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-9f52-hpvw-v96w/GHSA-9f52-hpvw-v96w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9f52-hpvw-v96w
- Aliases
- Published
- 2022-02-10T20:22:06Z
- Modified
- 2023-11-08T04:03:21.194931Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Improper Validation of Specified Quantity in Input in Eclipse Hono
- Details
-
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP 1.0 protocol explicitly disallows a peer to send such messages, a hand crafted AMQP 1.0 client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.
- Database specific
{ "nvd_published_at": "2020-11-13T20:15:00Z", "github_reviewed_at": "2021-04-19T23:18:06Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-1284" ] }- References
Affected packages
Maven / org.eclipse.hono:hono-core
Package
- Name
- org.eclipse.hono:hono-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.eclipse.hono/hono-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.4.3
Affected versions
0.*
0.5-M1
0.5-M2
0.5-M3
0.5-M4
0.5-M5
0.5-M6
0.5-M7
0.5-M8
0.5-M9
0.5-M10
0.5
0.6-M1
0.6-M2
0.6
0.7-M1
0.7-M2
0.7
0.8-M1
0.8-M1_1
0.8-M2
0.8
0.9-M1
0.9-M2
0.9
1.*
1.0-M1
1.0-M2
1.0-M3
1.0-M4
1.0-M5
1.0-M6
1.0-M7
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0-M1
1.1.0-M2
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0-M1
1.3.0-M2
1.3.0-M3
1.3.0
1.3.1
1.3.2
1.4.0