CVE-2024-1300

{"id": "CVE-2024-1300", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2024-04-02T08:15:53.993", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1706", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1923", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:2088", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1300", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", "source": "secalert@redhat.com"}, {"url": "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error."}, {"lang": "es", "value": "Una vulnerabilidad en Eclipse Vert.x toolkit provoca una p\u00e9rdida de memoria en servidores TCP configurados con soporte TLS y SNI. Al procesar un nombre de servidor SNI desconocido al que se le asigna el certificado predeterminado en lugar de un certificado asignado, el contexto SSL se almacena en cach\u00e9 por error en el mapa de nombres del servidor, lo que provoca que se agote la memoria. Esta falla permite a los atacantes enviar mensajes de saludo al cliente TLS con nombres de servidor falsos, lo que provoca un error de falta de memoria de JVM."}], "lastModified": "2024-04-29T07:15:06.423", "sourceIdentifier": "secalert@redhat.com"}