CVE-2023-32081 – Vert.x STOMP server process client frames that would not send initially a connect frame
https://notcve.org/view.php?id=CVE-2023-32081
Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame replied with a successful CONNECTED frame. The client can subscribe to a destination or publish message without prior authentication. Any Vert.x STOMP server configured with an authentication handler is impacted. The issue is patched in Vert.x 3.9.16 and 4.4.2. • https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b https://github.com/vert-x3/vertx-stomp/security/advisories/GHSA-gvrq-cg5r-7chp • CWE-287: Improper Authentication •