CVE-2020-14307

Advisory lineage Upstream: 0 Downstream: 9

Downstream

RHSA-2020:3141 RHSA-2020:3142 RHSA-2020:3461 RHSA-2020:3462 RHSA-2020:3463 RHSA-2020:3637

Modified

Published: 24 Jul 2020, 00:00

Last modified:04 Aug 2024, 12:39

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.28% LOW

0% probability -0.14%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

24 Jul 2020, 00:00

Published

Vulnerability first disclosed

04 Aug 2024, 12:39

Last Modified

Vulnerability information updated

Description

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.28%• Percentile: 52%

Techniques & Countermeasures

CWE-404•Improper Resource Shutdown or Release
The product does not release or incorrectly releases a resource before it is made available for re-use.

Affected Systems

red hat•wildfly
jboss-ejb-client versions shipped with Red Hat JBoss EAP 7
redhat•amq
2.0
redhat•jboss_enterprise_application_platform_continuous_delivery
na
redhat•jboss_fuse
6.0.0
redhat•openshift_application_runtimes
na
redhat•single_sign-on
7.0

References (1)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14307