CVE-2021-21328

Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.
Configurations

Configuration 1 (hide)

cpe:2.3:a:vapor_project:vapor:*:*:*:*:*:swift:*:*

History

21 Nov 2024, 05:48

Type Values Removed Values Added
References () https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23 - Patch, Third Party Advisory () https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23 - Patch, Third Party Advisory
References () https://github.com/vapor/vapor/releases/tag/4.40.1 - Release Notes, Third Party Advisory () https://github.com/vapor/vapor/releases/tag/4.40.1 - Release Notes, Third Party Advisory
References () https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmc - Third Party Advisory () https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmc - Third Party Advisory
References () https://vapor.codes/ - Product () https://vapor.codes/ - Product

Information

Published : 2021-02-26 02:15

Updated : 2024-11-21 05:48


NVD link : CVE-2021-21328

Mitre link : CVE-2021-21328

CVE.ORG link : CVE-2021-21328


JSON object : View

Products Affected

vapor_project

  • vapor
CWE
CWE-400

Uncontrolled Resource Consumption