Miggo Logo

CVE-2021-21328: Vapor's Metrics integration could cause a system drain

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.62356%
Published
6/9/2023
Updated
6/19/2023
KEV Status
No
Technology
TechnologySwift

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/vapor/vaporswift<= 4.40.04.40.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how metrics were recorded for undefined routes. The unpatched version in DefaultResponder.swift used the actual request path (request.url.path) for metric dimensions when no route was found. This allowed attackers to exhaust system resources by sending requests with unique paths. The patched version introduces path/method normalization to 'vapor_route_undefined' for undefined routes, preventing metric explosion. The commit diff shows critical changes to the metrics handling logic in DefaultResponder's updateMetrics function, confirming this as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is is * *oS *tt**k ***inst *nyon* w*o *ootstr*ps * m*tri*s ***k*n* *or t**ir V*por *pp wit* t** *ollowin* *tt**k v**tor: *. s*n* unlimit** r*qu*sts ***inst * v*por inst*n** wit* *i***r*nt p*t*s. t*is will *r**t* “unlimit**” *ount*rs *n*

Reasoning

T** vuln*r**ility st*ms *rom *ow m*tri*s w*r* r**or*** *or un***in** rout*s. T** unp*t**** v*rsion in ****ultR*spon**r.swi*t us** t** **tu*l r*qu*st p*t* (r*qu*st.url.p*t*) *or m*tri* *im*nsions w**n no rout* w*s *oun*. T*is *llow** *tt**k*rs to *x**