CVE-2020-27217 — HIGH (7.5)

Vulnerability Description

In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP 1.0 protocol explicitly disallows a peer to send such messages, a hand crafted AMQP 1.0 client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Eclipse	Hono	1.3.0

Related Weaknesses (CWE)

CWE-1284

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=567068Issue TrackingVendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567068Issue TrackingVendor Advisory

FAQ

What is CVE-2020-27217?

CVE-2020-27217 is a vulnerability with a CVSS score of 7.5 (HIGH). In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the ma...

How severe is CVE-2020-27217?

CVE-2020-27217 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-27217?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Hono.