// For flags

CVE-2020-27217

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP 1.0 protocol explicitly disallows a peer to send such messages, a hand crafted AMQP 1.0 client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.

En Eclipse Hono versiones 1.3.0 y 1.4.0, el adaptador de protocolo AMQP no verifica el tamaño de los mensajes AMQP recibidos desde dispositivos. En particular, un dispositivo puede enviar mensajes que son más grandes que el tamaño máximo de mensaje que el adaptador de protocolo ha indicado durante el establecimiento del enlace. Si bien el protocolo AMQP versión 1.0 explícitamente no permite a un peer enviar dichos mensajes, un cliente AMQP versión 1.0 diseñado podría explotar este comportamiento a fin de enviar un mensaje de tamaño ilimitado hacia el adaptador, lo que eventualmente causa a un adaptador un fallo con una excepción de falta de memoria

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-10-19 CVE Reserved
  • 2020-11-13 CVE Published
  • 2023-07-30 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-1284: Improper Validation of Specified Quantity in Input
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567068 2020-12-01
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Eclipse
Search vendor "Eclipse"
 Hono
Search vendor "Eclipse" for product "Hono"
 1.3.0
Search vendor "Eclipse" for product "Hono" and version "1.3.0"
-
Affected
Eclipse
Search vendor "Eclipse"
 Hono
Search vendor "Eclipse" for product "Hono"
 1.4.0
Search vendor "Eclipse" for product "Hono" and version "1.4.0"
-
Affected