Miggo Logo
Miggo Vulnerability Database
CVE-2023-34150

CVE-2023-34150: Apache Any23 vulnerable to excessive memory usage

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34150
GHSA ID
GHSA-2gpr-j5vj-wvh2
EPSS Score
0.21222%
CWE
CWE-20
Published
7/5/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.any23:apache-any23maven<= 2.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from the use of TikaEncodingDetector for encoding detection, as stated in the advisory. The CWE-400 (Uncontrolled Resource Consumption) indicates a lack of safeguards against resource exhaustion. Since TikaEncodingDetector is designed to analyze byte streams for charset detection, its detect() method would be the logical entry point where input validation should occur. The absence of input size checks before processing would allow maliciously large inputs to trigger excessive memory allocation, aligning with the described vulnerability mechanism. Though no patch details are available, the component and attack pattern are explicitly identified in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us* o* Tik**n*o*in***t**tor in *p**** *ny** **n **us* *x**ssiv* m*mory us***.

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** us* o* `Tik**n*o*in***t**tor` *or *n*o*in* **t**tion, *s st*t** in t** **visory. T** *W*-*** (Un*ontroll** R*sour** *onsumption) in*i**t*s * l**k o* s****u*r*s ***inst r*sour** *x**ustion. Sin** `Tik**n*o*in*