CVE-2021-21328
published 2021-02-26CVE-2021-21328: Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
1.63%
73.1th percentile
Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | vapor_vapor | >= 0 < 4.40.1 | 4.40.1 |
| vapor | vapor | <= 4.40.0 | — |
| vapor_project | vapor | < 4.40.1 | 4.40.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vapor's Metrics integration could cause a system drain
osv·2023-06-09
CVE-2021-21328 [MEDIUM] Vapor's Metrics integration could cause a system drain
Vapor's Metrics integration could cause a system drain
### Impact
This is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app with the following attack vector:
1. send unlimited requests against a vapor instance with different paths. this will create “unlimited” counters and timers, which will eventually drain the system.
2. downstream services might suffer from this attack as well by being spammed with error paths
### Patches
This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.
### Workarounds
Don't bootstrap a metrics system or upgrade to 4.40.1
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Vapor]
GHSA
Vapor's Metrics integration could cause a system drain
ghsa·2023-06-09
CVE-2021-21328 [MEDIUM] CWE-400 Vapor's Metrics integration could cause a system drain
Vapor's Metrics integration could cause a system drain
### Impact
This is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app with the following attack vector:
1. send unlimited requests against a vapor instance with different paths. this will create “unlimited” counters and timers, which will eventually drain the system.
2. downstream services might suffer from this attack as well by being spammed with error paths
### Patches
This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.
### Workarounds
Don't bootstrap a metrics system or upgrade to 4.40.1
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Vapor]
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23https://github.com/vapor/vapor/releases/tag/4.40.1https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmchttps://vapor.codes/https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23https://github.com/vapor/vapor/releases/tag/4.40.1https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmchttps://vapor.codes/
2021-02-26
Published