CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
AI Score
Confidence
Low
EPSS
Percentile
13.0%
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Vendor | Product | Version | CPE |
---|---|---|---|
io.vertx | vertx-core | * | cpe:2.3:a:io.vertx:vertx-core:*:*:*:*:*:*:*:* |
access.redhat.com/errata/RHSA-2024:1662
access.redhat.com/errata/RHSA-2024:1706
access.redhat.com/errata/RHSA-2024:1923
access.redhat.com/errata/RHSA-2024:2088
access.redhat.com/errata/RHSA-2024:2833
access.redhat.com/errata/RHSA-2024:3527
access.redhat.com/errata/RHSA-2024:3989
access.redhat.com/errata/RHSA-2024:4884
access.redhat.com/security/cve/CVE-2024-1300
bugzilla.redhat.com/show_bug.cgi?id=2263139
github.com/advisories/GHSA-9ph3-v2vh-3qx7
github.com/eclipse-vertx/vert.x/commit/3d9235cadf44df39a70dc75bddfe0b8fcbd6a683
github.com/eclipse-vertx/vert.x/commit/7ad34ea9d78f85e26b231ee3ec8d492d10046479
github.com/eclipse-vertx/vert.x/pull/5099
github.com/eclipse-vertx/vert.x/pull/5100
github.com/eclipse-vertx/vert.x/pull/5101
nvd.nist.gov/vuln/detail/CVE-2024-1300
vertx.io/docs/vertx-core/java/#_server_name_indication_sni.