// For flags

CVE-2024-1023

Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.

Una vulnerabilidad en el kit de herramientas Eclipse Vert.x provoca una pérdida de memoria debido al uso de estructuras de datos Netty FastThreadLocal. Específicamente, cuando el cliente HTTP Vert.x establece conexiones con diferentes hosts, lo que desencadena la pérdida de memoria. La filtración se puede acelerar con un conocimiento íntimo del tiempo de ejecución, lo que permite a un atacante explotar esta vulnerabilidad. Por ejemplo, un servidor que acepte direcciones de Internet arbitrarias podría servir como vector de ataque al conectarse a estas direcciones, acelerando así la pérdida de memoria.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-01-29 CVE Reserved
  • 2024-03-27 CVE Published
  • 2024-07-26 EPSS Updated
  • 2024-11-25 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
 A Mq Clients
Search vendor "Redhat" for product "A Mq Clients"
*-
Affected
Redhat
Search vendor "Redhat"
 Amq
Search vendor "Redhat" for product "Amq"
*-
Affected
Redhat
Search vendor "Redhat"
 Amq Broker
Search vendor "Redhat" for product "Amq Broker"
*-
Affected
Redhat
Search vendor "Redhat"
 Amq Streams
Search vendor "Redhat" for product "Amq Streams"
*-
Affected
Redhat
Search vendor "Redhat"
 Apache Camel Spring Boot
Search vendor "Redhat" for product "Apache Camel Spring Boot"
*-
Affected
Redhat
Search vendor "Redhat"
 Build Keycloak
Search vendor "Redhat" for product "Build Keycloak"
*-
Affected
Redhat
Search vendor "Redhat"
 Build Of Keycloak
Search vendor "Redhat" for product "Build Of Keycloak"
*-
Affected
Redhat
Search vendor "Redhat"
 Build Of Optaplanner
Search vendor "Redhat" for product "Build Of Optaplanner"
*-
Affected
Redhat
Search vendor "Redhat"
 Build Of Quarkus
Search vendor "Redhat" for product "Build Of Quarkus"
*-
Affected
Redhat
Search vendor "Redhat"
 Camel Quarkus
Search vendor "Redhat" for product "Camel Quarkus"
*-
Affected
Redhat
Search vendor "Redhat"
 Camel Spring Boot
Search vendor "Redhat" for product "Camel Spring Boot"
*-
Affected
Redhat
Search vendor "Redhat"
 Cryostat
Search vendor "Redhat" for product "Cryostat"
*-
Affected
Redhat
Search vendor "Redhat"
 Data Grid
Search vendor "Redhat" for product "Data Grid"
*-
Affected
Redhat
Search vendor "Redhat"
 Integration
Search vendor "Redhat" for product "Integration"
*-
Affected
Redhat
Search vendor "Redhat"
 Integration Camel K
Search vendor "Redhat" for product "Integration Camel K"
*-
Affected
Redhat
Search vendor "Redhat"
 Integration Camel Quarkus
Search vendor "Redhat" for product "Integration Camel Quarkus"
*-
Affected
Redhat
Search vendor "Redhat"
 Jboss Data Grid
Search vendor "Redhat" for product "Jboss Data Grid"
*-
Affected
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
*-
Affected
Redhat
Search vendor "Redhat"
 Jboss Enterprise Bpms Platform
Search vendor "Redhat" for product "Jboss Enterprise Bpms Platform"
*-
Affected
Redhat
Search vendor "Redhat"
 Jboss Fuse
Search vendor "Redhat" for product "Jboss Fuse"
*-
Affected
Redhat
Search vendor "Redhat"
 Jbosseapxp
Search vendor "Redhat" for product "Jbosseapxp"
*-
Affected
Redhat
Search vendor "Redhat"
 Migration Toolkit
Search vendor "Redhat" for product "Migration Toolkit"
*-
Affected
Redhat
Search vendor "Redhat"
 Migration Toolkit Applications
Search vendor "Redhat" for product "Migration Toolkit Applications"
*-
Affected
Redhat
Search vendor "Redhat"
 Migration Toolkit Runtimes
Search vendor "Redhat" for product "Migration Toolkit Runtimes"
*-
Affected
Redhat
Search vendor "Redhat"
 Openshift
Search vendor "Redhat" for product "Openshift"
*-
Affected
Redhat
Search vendor "Redhat"
 Optaplanner
Search vendor "Redhat" for product "Optaplanner"
*-
Affected
Redhat
Search vendor "Redhat"
 Process Automation
Search vendor "Redhat" for product "Process Automation"
*-
Affected
Redhat
Search vendor "Redhat"
 Quarkus
Search vendor "Redhat" for product "Quarkus"
*-
Affected
Redhat
Search vendor "Redhat"
 Serverless
Search vendor "Redhat" for product "Serverless"
*-
Affected
Redhat
Search vendor "Redhat"
 Service Registry
Search vendor "Redhat" for product "Service Registry"
*-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
*-
Affected