CVE-2021-21328 – vapor

Package

Manager: swift
Name: vapor
Vulnerable Version: >=0 <4.40.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

EPSS: 0.00442 pctl0.62382

Details

Vapor's Metrics integration could cause a system drain ### Impact This is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app with the following attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create “unlimited” counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths ### Patches This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters. ### Workarounds Don't bootstrap a metrics system or upgrade to 4.40.1 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Vapor](https://github.com/vapor/vapor) * Ask in [Discord](http://vapor.team)

Metadata

Created: 2023-06-09T19:31:47Z
Modified: 2023-06-09T19:31:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-gcj9-jj38-hwmc/GHSA-gcj9-jj38-hwmc.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-gcj9-jj38-hwmc
Finding: F002
Auto approve: 1