CVE-2021-41973 — Infinite Loop in Software Foundation Apache Mina

CWE-835 — Infinite Loop9 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.8%

top 25.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Mina Apache Mina Oracle Flexcube Universal Banking +7 more

Timeline

PublishedNov 1

Latest updateApr 15

Description

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages10 packages

▶NVDapache/mina2.1.0 — 2.1.5+1

▶CVEListV5apache_software_foundation/apache_minaApache MINA — 2.1.5

▶NVDoracle/flexcube_universal_banking14.0 — 14.3+1

▶NVDoracle/banking_payments14.5

▶NVDoracle/oss_support_tools2.12.42

Patches

Patch: www.openwall.com ↗Patch: lists.apache.org ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Infinite loop in Apache MINA↗2021-11-03

▶

GHSA

Infinite loop in Apache MINA↗2021-11-03

▶

OSV

CVE-2021-41973: In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely↗2021-11-01

▶

CVEList

Apache MINA HTTP listener DOS↗2021-11-01

▶

📋Vendor Advisories

Oracle

Oracle Oracle JD Edwards Risk Matrix: Interoperability SEC (Apache Mina) — CVE-2021-41973↗2023-04-15

▶

Oracle

Oracle Oracle Support Tools Risk Matrix: Diagnostic Assistant (Apache MINA) — CVE-2021-41973↗2022-04-15

▶

Red Hat

mina-core: infinite loop may lead to DoS↗2021-11-01

▶

Debian

CVE-2021-41973: mina - In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTT...↗2021

▶