CVE-2024-1023

medium

Description

A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.

References

https://github.com/eclipse-vertx/vert.x/pull/5082

https://github.com/eclipse-vertx/vert.x/pull/5080

https://github.com/eclipse-vertx/vert.x/issues/5078

https://bugzilla.redhat.com/show_bug.cgi?id=2260840

https://access.redhat.com/security/cve/CVE-2024-1023

https://access.redhat.com/errata/RHSA-2024:4884

https://access.redhat.com/errata/RHSA-2024:3989

https://access.redhat.com/errata/RHSA-2024:3527

https://access.redhat.com/errata/RHSA-2024:2833

https://access.redhat.com/errata/RHSA-2024:2088

https://access.redhat.com/errata/RHSA-2024:1706

https://access.redhat.com/errata/RHSA-2024:1662

Details

Source: Mitre, NVD

Published: 2024-03-27

Updated: 2024-07-25

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium