CVE Vulnerability

CVE-2021-21328

Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/vapor/vapor/releases/tag/4.40.1 Release Notes Third Party Advisory
https://github.com/vapor/vapor/commit/e3aa712508db2854ac0ab905696c65fd88fa7e23 Patch Third Party Advisory
https://github.com/vapor/vapor/security/advisories/GHSA-gcj9-jj38-hwmc Third Party Advisory
https://vapor.codes/ Product
Configurations

Configuration 1

cpe:2.3:a:vapor_project:vapor:*:*:*:*:*:swift:*:*
Information

Published : 2021-02-26 02:15

Updated : 2021-03-05 07:38

NVD link : CVE-2021-21328

Mitre link : CVE-2021-21328

Products Affected
No products.
CWE
CWE-400