Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12M2g4LXJ3NDgtaDRncs3ubQ
Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Permalink: https://github.com/advisories/GHSA-v3h8-rw48-h4grJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12M2g4LXJ3NDgtaDRncs3ubQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 10 months ago
Identifiers: GHSA-v3h8-rw48-h4gr, CVE-2011-5034
References:
- https://nvd.nist.gov/vuln/detail/CVE-2011-5034
- https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py
- https://lists.apache.org/thread.html/r20957aa5962a48328f199e2373f408aeeae601a45dd5275a195e2b6e@%3Cjava-dev.axis.apache.org%3E
- https://lists.apache.org/thread.html/r360b70489bad65286b49ceb5303a849d2a7ec7d1292774a7259579e1@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r3c541f019b74902e8e61d73e40ecc2837dfce1b744ad5546919b993c@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r4fe6b5ff1d48e23337304fd5ac983d89328aecbd1fa198cfc966fbd7@%3Cdev.geronimo.apache.org%3E
- https://lists.apache.org/thread.html/r653f633aa7b6ccbb8c338dbfcea7a00e4ae9d6f3e064a03cab8dc20d@%3Cjava-dev.axis.apache.org%3E
- https://lists.apache.org/thread.html/r67747af92035942c9c413bd8394acbb8a1ace5833c0177014c825bc2@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r8dc1a0ae0e0cf9d2494b8cbd66562f99331c4cf635e7781850a9b9ba@%3Cjava-dev.axis.apache.org%3E
- https://lists.apache.org/thread.html/ra10015f6f3c3c88b7d813383554e87c06347fe163487148669189b8e@%3Cdev.geronimo.apache.org%3E
- https://lists.apache.org/thread.html/ra1fe29f6399b68980f914d8613dee7f67d62a1a97722fe9cd56f4f5f@%3Cdev.geronimo.apache.org%3E
- https://lists.apache.org/thread.html/rb0e85243d7268f1d7a1edb5e6c7df885dbd300acabaaf4cb0e880518@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/rdd67ea3e489134f653349fc2cb09828ac8462aa61dd776b505a3297a@%3Cissues.karaf.apache.org%3E
- http://www.kb.cert.org/vuls/id/903934
- http://www.ocert.org/advisories/ocert-2011-003.html
- https://web.archive.org/web/20120105151644/http://www.nruns.com/_downloads/advisory28122011.pdf
- https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
- https://github.com/advisories/GHSA-v3h8-rw48-h4gr
Blast Radius: 0.0
Affected Packages
maven:org.apache.geronimo:geronimo
Dependent packages: 4Dependent repositories: 9
Downloads:
Affected Version Ranges: < 2.2.1
Fixed in: 2.2.1
All affected versions: 2.0.1, 2.0.2, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8
All unaffected versions: 2.2.1, 3.0.0, 3.0.1