Description
In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.
References (4)
Core 4
Core References
Mailing List, Patch, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/11/01/2
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/11/01/8
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Scores
CVSS v3
6.5
EPSS
0.0244
EPSS Percentile
85.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-835
Status
published
Products (14)
apache/mina
< 2.0.22
oracle/banking_payments
14.5
oracle/banking_trade_finance_process_management
14.5
oracle/banking_treasury_management
14.5
oracle/communications_cloud_native_core_console
1.9.0
oracle/customer_management_and_segmentation_foundation
18.0
oracle/customer_management_and_segmentation_foundation
19.0
oracle/flexcube_universal_banking
14.5
oracle/flexcube_universal_banking
14.0 - 14.3
oracle/fusion_middleware_common_libraries_and_tools
12.2.1.3.0
... and 4 more
Published
Nov 01, 2021
Tracked Since
Feb 18, 2026