Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2021-37137

Disclosure Date: October 19, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Snappy frame decoder function doesn’t restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Vendors

  • debian,
  • netapp,
  • netty,
  • oracle,
  • quarkus

Products

  • banking apis,
  • banking apis 19.1,
  • banking apis 19.2,
  • banking apis 20.1,
  • banking apis 21.1,
  • banking digital experience 18.1,
  • banking digital experience 18.2,
  • banking digital experience 18.3,
  • banking digital experience 19.1,
  • banking digital experience 19.2,
  • banking digital experience 20.1,
  • banking digital experience 21.1,
  • commerce guided search 11.3.2,
  • communications brm - elastic charging engine,
  • communications brm - elastic charging engine 12.0.0.5.0,
  • communications cloud native core binding support function 1.10.0,
  • communications diameter signaling router,
  • debian linux 10.0,
  • debian linux 11.0,
  • netty,
  • oncommand insight -,
  • peoplesoft enterprise peopletools 8.57,
  • peoplesoft enterprise peopletools 8.58,
  • peoplesoft enterprise peopletools 8.59,
  • quarkus,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0

References

Advisory

Additional Info

Technical Analysis