CVE-2020-14307

wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.

Se encontró una vulnerabilidad en Wildfly's Enterprise Java Beans (EJB) versiones incluidas con Red Hat JBoss EAP 7, donde SessionOpenInvocations nunca es eliminada del InvocationTracker remoto después que una respuesta es recibida en el EJB Client, así como en el servidor. Este fallo permite a un atacante diseñar un ataque de denegación de servicio para hacer que el servicio no esté disponible

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB), where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-17 CVE Reserved
2020-07-24 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-404: Improper Resource Shutdown or Release

CAPEC

References (3)

URL	Tag	Source
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14307	Issue Tracking

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2020-14307	2020-09-23
https://bugzilla.redhat.com/show_bug.cgi?id=1851327	2020-09-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Amq Search vendor "Redhat" for product "Amq"				2.0 Search vendor "Redhat" for product "Amq" and version "2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Continuous Delivery Search vendor "Redhat" for product "Jboss Enterprise Application Platform Continuous Delivery"				-		-		Affected
Redhat Search vendor "Redhat"		Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse"				6.0.0 Search vendor "Redhat" for product "Jboss Fuse" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Application Runtimes Search vendor "Redhat" for product "Openshift Application Runtimes"				-		-		Affected
Redhat Search vendor "Redhat"		Single Sign-on Search vendor "Redhat" for product "Single Sign-on"				7.0 Search vendor "Redhat" for product "Single Sign-on" and version "7.0"		-		Affected