CVE-2023-32081

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-32081

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-32081.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-32081

Aliases

GHSA-gvrq-cg5r-7chp

Published

2023-05-12T13:49:56.969Z

Modified

2026-04-27T10:55:04.080429Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Vert.x STOMP server process client frames that would not send initially a connect frame

Details

Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame replied with a successful CONNECTED frame. The client can subscribe to a destination or publish message without prior authentication. Any Vert.x STOMP server configured with an authentication handler is impacted. The issue is patched in Vert.x 3.9.16 and 4.4.2. There are no trivial workarounds.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32081.json",
    "cwe_ids": [
        "CWE-287"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/vert-x3/vertx-stomp

Affected ranges

Type

GIT

Repo

https://github.com/vert-x3/vertx-stomp

Events

Introduced

79e5bde72912d059129161b4fc6049467436833f

Fixed

767b6c9f8eeba33ecc8131ee3b5924b674478762

Introduced

6bceb9c26ab574e5d10b2da58dd45ecd7297d794

Fixed

cf7b6873ce8930f31888a821944772e4c0eb52ac

Fixed

0de4bc5a44ddb57e74d92c445f16456fa03f265b

Database specific

{
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:eclipse:vert.x_stomp:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.1.0"
        },
        {
            "fixed": "3.9.16"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.4.2"
        }
    ]
}

Affected versions

3.*

3.1.0

3.2.0

3.3.0

3.3.0.CR2

3.3.1

3.3.2

3.3.3

3.4.0.Beta1

3.5.0

3.5.0.Beta1

3.5.1

3.6.0

3.6.0.CR1

3.6.0.CR2

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.9.0

3.9.1

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.1.0.Beta1

4.1.0.CR1

4.1.0.CR2

4.1.1

4.2.0

4.2.0.Beta1

4.2.0.CR1

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.4.0

4.4.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-32081.json"

vanir_signatures_modified

"2026-04-27T10:55:04Z"

vanir_signatures

[
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "function_hash": "275403424190377329176982385335749893157",
            "length": 1446.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "function": "listen",
            "file": "src/main/java/io/vertx/ext/stomp/impl/StompServerImpl.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-1806ba8e"
    },
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "line_hashes": [
                "326992888114522085094849977442054555861",
                "338882660204563459304820229706645681282",
                "199654471791061457369670541130330156599",
                "224268433719016509087776733132925642598",
                "184086397029615808636193432507161873940",
                "85221663991703249411336853931425991699",
                "74379644737822507801953892403335639186",
                "251238574130987891968850842676516618864",
                "272739293261431069401266688759337961344",
                "7527076604200181004886096322471601690",
                "207979035140121925716928014021543056478",
                "109787141047420723795371757857374027235",
                "317368911204461599974476488422059619306",
                "34173642363086703606108389509806544504",
                "276546382158394288559714412405677147232",
                "129032328531190431386015968261295232726",
                "228899060827488433432497620156413837101",
                "203566682377280956591961426912498895000",
                "135060837547050568380305758096275022419",
                "16732223453381766961009105881020917395",
                "194511674882711248706669008471865755494",
                "132665625439886282477642041889432892887"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "src/test/java/io/vertx/ext/stomp/impl/SecuredServerConnectionTest.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-530f615d"
    },
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "function_hash": "312960285791507147957471414720729445618",
            "length": 219.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "function": "DefaultStompHandler",
            "file": "src/main/java/io/vertx/ext/stomp/impl/DefaultStompHandler.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-96c0d269"
    },
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "function_hash": "326526211052372093386377261597725073304",
            "length": 380.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "function": "setUp",
            "file": "src/test/java/io/vertx/ext/stomp/impl/SecuredServerConnectionTest.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-a5f844be"
    },
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "function_hash": "187647606800494309133135991787646964021",
            "length": 304.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "function": "validate",
            "file": "src/test/java/io/vertx/ext/stomp/impl/SecuredServerConnectionTest.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-a7e9cb93"
    },
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "line_hashes": [
                "238432778056169882306389502827278694899",
                "176888181019624932879456564930826571891",
                "156252426904864934027881305404316430499",
                "221134384928685471166774269089184513818",
                "26275570511778553225234543740676709278",
                "98851311126150332419614607736830768436",
                "289054414884387197755691638088094705683",
                "26051353249681296254248420699727194459",
                "9314790015719457994477459872506897790",
                "154491632771340803015170646841905985351",
                "302702017140738520750143798598277792068",
                "236437972173332350506854604911094119412",
                "290163042825833868484375570846317041245",
                "330416816246478645360210756188595322704",
                "253061545600719545287564679463504166198",
                "325405135653440377210376201178426736718",
                "9314790015719457994477459872506897790",
                "154491632771340803015170646841905985351",
                "285077742141314055654700439316971862216",
                "330886799283052363058546381849787581093"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/io/vertx/ext/stomp/impl/StompServerImpl.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-af0e8b3a"
    },
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "function_hash": "148708653806865686765654367429225080900",
            "length": 993.0
        },
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "function": "webSocketHandler",
            "file": "src/main/java/io/vertx/ext/stomp/impl/StompServerImpl.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-b694468b"
    },
    {
        "source": "https://github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265b",
        "digest": {
            "line_hashes": [
                "152461537695603669071615573317078218756",
                "308093629405495277241158274958967298242",
                "160370842378098772087355334589952621926",
                "330057343106721017351167750357913624322",
                "34298448429226085239897161853075435714",
                "96079712932534900787247811128848896255",
                "73019545988233810894218741535200691981",
                "330629599234563047241458507648171722296"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/io/vertx/ext/stomp/impl/DefaultStompHandler.java"
        },
        "deprecated": false,
        "id": "CVE-2023-32081-f9a1c251"
    }
]