CVE-2021-21328Uncontrolled Resource Consumption in Project Vapor

CWE-400Uncontrolled Resource Consumption3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 36.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Vapor Project VaporGithub.com Vapor VaporVapor
Timeline
PublishedFeb 26
Latest updateJun 9

Description

Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultRe

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDvapor_project/vapor< 4.40.1
SwiftURLgithub.com/vapor_vapor< 4.40.1
CVEListV5vapor/vapor4.40.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Vapor's Metrics integration could cause a system drain2023-06-09
GHSA
Vapor's Metrics integration could cause a system drain2023-06-09