CVE-2020-27217

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-27217
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-27217.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-27217
Aliases
Published
2020-11-13T20:15:16Z
Modified
2024-10-12T06:25:18.134945Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP 1.0 protocol explicitly disallows a peer to send such messages, a hand crafted AMQP 1.0 client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.

References

Affected packages

Git / github.com/eclipse/hono

Affected ranges

Type
GIT
Repo
https://github.com/eclipse/hono
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Last affected

Affected versions

0.*

0.5
0.5-M1
0.5-M10
0.5-M2
0.5-M3
0.5-M4
0.5-M5
0.5-M6
0.5-M7
0.5-M8
0.5-M9
0.6
0.6-M1
0.6-M2
0.7
0.7-M1
0.7-M2
0.8
0.8-M1
0.8-M1_1
0.8-M2
0.9
0.9-M1
0.9-M2

1.*

1.0-M1
1.0-M2
1.0-M3
1.0-M4
1.0-M5
1.0-M6
1.0-M7
1.0.0
1.1.0
1.1.0-M1
1.1.0-M2
1.2.0
1.3.0
1.3.0-M1
1.3.0-M2
1.3.0-M3
1.4.0