CVE-2023-32081
MEDIUMVert.x STOMP 3.1.0-3.9.15 and 4.0.0-4.4.1 - Unauthenticated Message Subscription and Publishing
Title source: llmDescription
Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame replied with a successful CONNECTED frame. The client can subscribe to a destination or publish message without prior authentication. Any Vert.x STOMP server configured with an authentication handler is impacted. The issue is patched in Vert.x 3.9.16 and 4.4.2. There are no trivial workarounds.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/vert-x3/vertx-stomp/security/advisories/GHSA-gvrq-cg5r-7chp
Scores
CVSS v3
6.5
EPSS
0.0051
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (2)
eclipse/vert.x_stomp
3.1.0 - 3.9.16
io.vertx/vertx-stomp
3.1.0 - 3.9.16Maven
Published
May 12, 2023
Tracked Since
Feb 18, 2026