Miggo Logo

CVE-2021-27576: Uncontrolled Resource Consumption in Apache OpenMeetings server

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.90174%
Published
6/16/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.openmeetings:openmeetings-parentmaven>= 4.0.0, < 6.0.06.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key functions in NetTestWebService: 1) The GET handler (download) generated unlimited bandwidth-intensive streams while only using a non-enforced client counter. 2) The POST handler (upload) accepted large payloads without proper rate limiting. Commit 060a311 shows these functions lacked the client count check that was later moved to RateLimitRequestFilter, and commit afe26c9 reveals insufficient size validation. The functions directly implement the bandwidth-consuming operations described in CVE-2021-27576.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I* w*s *oun* t**t t** N*tT*st w** s*rvi** **n ** us** to ov*rlo** t** **n*wi*t* o* * *p**** Op*nM**tin*s s*rv*r. T*is issu* w*s ***r*ss** in *p**** Op*nM**tin*s *.*.*

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions in `N*tT*stW**S*rvi**`: *) T** `**T` **n*l*r (`*ownlo**`) **n*r*t** unlimit** **n*wi*t*-int*nsiv* str**ms w*il* only usin* * non-*n*or*** *li*nt *ount*r. *) T** `POST` **n*l*r (`uplo**`) ****pt** l*r** p