CVE-2020-35510
Aliases:GHSA-p6j8-hgv5-m35g
Advisory lineage Upstream: 0 Downstream: 3
Downstream
Modified
Published: 02 Jun 2021, 13:22
Last modified:04 Aug 2024, 17:02
Vulnerability Summary
Overall Risk (default)
medium
29/100 CVSS Score
7.1 HIGH
v2.0 (nvd)
EPSS Score
0.56% LOW
1% probability +0.37%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
02 Jun 2021, 13:22
Published
Vulnerability first disclosed
04 Aug 2024, 17:02
Last Modified
Vulnerability information updated
Description
A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redhat-00001. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ACK messages, or just tamper with jboss-remoting code, deleting the lines that send the ACK message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•HIGH•Score: 7.1AV:N/AC:M/Au:N/C:N/I:N/A:C
EPSS Trends
Current EPSS score: 0.56%• Percentile: 69%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- org.jboss.remoting•jboss-remoting
< 5.0.20.Final
- redhat•jboss-remoting
< 5.0.20 | 5.0.20