Miggo Logo

CVE-2020-27217: Improper Validation of Specified Quantity in Input in Eclipse Hono

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.54932%
Published
2/10/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.eclipse.hono:hono-coremaven<= 1.4.01.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided patches show configuration changes (ServiceConfigProperties.java) and test case modifications (AmqpUploadTestBase.java) but do not include the actual runtime message processing code where the vulnerability existed. The critical vulnerability was in the AMQP adapter's failure to enforce max-message-size during message transfer, which would have been handled by proton-j/vertx-proton library internals or Hono's AMQP adapter message processing logic not visible in these patches. The test cases added validation() that max-message-size is properly advertised, but the vulnerable function that failed to enforce this limit during message reception isn't present in the provided code changes. Without seeing the actual message ingestion path code modifications, we cannot definitively identify vulnerable functions from the given patches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **lips* *ono v*rsion *.*.* *n* *.*.* t** *MQP proto*ol ***pt*r *o*s not v*ri*y t** siz* o* *MQP m*ss***s r***iv** *rom **vi**s. In p*rti*ul*r, * **vi** m*y s*n* m*ss***s t**t *r* *i***r t**n t** m*x-m*ss***-siz* t**t t** proto*ol ***pt*r **s in*i*

Reasoning

T** provi*** p*t***s s*ow *on*i*ur*tion ***n**s (`S*rvi***on*i*Prop*rti*s.j*v*`) *n* t*st **s* mo*i*i**tions (`*mqpUplo**T*st**s*.j*v*`) *ut *o not in*lu** t** **tu*l runtim* m*ss*** pro**ssin* *o** w**r* t** vuln*r**ility *xist**. T** *riti**l vuln*