CVE-2014-3648

CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

7.5HIGH

EPSS

0.3%

top 44.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Aerogear

Timeline

PublishedJul 1

Latest updateJul 2

Description

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jboss_aerogearJboss Aerogear 1.0.0.final

▶NVDredhat/jboss_aerogear1.0.0

🔴Vulnerability Details

GHSA

GHSA-jh99-8qr7-cf7m: The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken↗2022-07-02

▶

CVEList

CVE-2014-3648: The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken↗2022-07-01

▶

💬Community

Bugzilla

CVE-2014-3648 JBoss AeroGear: DDoS via deviceToken↗2014-09-19

▶