Vulnerability CVE-2021-21328


Published: 2021-02-26

Description:
Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.

Type:

CWE-400

(Uncontrolled Resource Consumption ('Resource Exhaustion'))

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial
Affected software
Vapor project -> Vapor 

 References:
https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23
https://github.com/vapor/vapor/releases/tag/4.40.1
https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmc
https://vapor.codes/

Copyright 2021, cxsecurity.com

 

Back to Top