Miggo Logo

CVE-2021-21294: Unbounded connection acceptance in http4s-blaze-server

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.66369%
Published
2/2/2021
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.http4s:http4s-blaze-server_2.12maven< 0.21.170.21.17
org.http4s:http4s-blaze-server_2.13maven< 0.21.170.21.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The NIO1SocketServerGroup.fixedGroup method (pre-patch) created connection pools without enforcing maxConnections, as shown in the commit diff where it was replaced with a .fixed() method that includes this parameter. 2) The BlazeServerBuilder's constructor didn't propagate a connection limit to the server group initialization logic before the patch. The combination of these factors allowed unbounded connection queuing. The high confidence comes from explicit evidence in the patch (added maxConnections parameter in BlazeServerBuilder and server group initialization changes) and the vulnerability description's focus on missing connection bounding at the acceptance layer.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *l*z*-*or*, * li*r*ry un**rlyin* *ttp*s-*l*z*-s*rv*r, ****pts *onn**tions un*oun***ly on its s*l**tor pool. T*is **s t** n*t *****t o* *mpli*yin* ***r***tion in s*rvi**s t**t *r* un**l* to **n*l* t**ir *urr*nt r*qu*st lo**, sin** in*omin*

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** `NIO*So*k*tS*rv*r*roup.*ix***roup` m*t*o* (pr*-p*t**) *r**t** *onn**tion pools wit*out *n*or*in* `m*x*onn**tions`, *s s*own in t** *ommit *i** w**r* it w*s r*pl**** wit* * `.*ix**()` m*t*o* t**t in*