CVE-2024-8391 – io.vertx:vertx-grpc-server

Package

Manager: maven
Name: io.vertx:vertx-grpc-server
Vulnerable Version: >=4.3.0 <4.5.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00103 pctl0.28754

Details

Vertx gRPC server does not limit the maximum message size In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).  This is fixed in the 4.5.10 version.  Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)

Metadata

Created: 2024-09-04T18:30:58Z
Modified: 2024-09-04T20:32:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-g76f-gjfx-4rpr/GHSA-g76f-gjfx-4rpr.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-g76f-gjfx-4rpr
Finding: F029
Auto approve: 1