CVE-2024-1023

MEDIUM

Io.vertx Vertx-core < 4.5.2 - Memory Leak

Title source: rule

Description

A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.

References (12)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1662

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:1706

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2088

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2833

[Issue Tracking] https://github.com/eclipse-vertx/vert.x/issues/5078

[Issue Tracking] https://github.com/eclipse-vertx/vert.x/pull/5080

[Issue Tracking] https://github.com/eclipse-vertx/vert.x/pull/5082

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:3527

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:3989

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:4884

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2024-1023

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2260840

Scores

CVSS v3 6.5

EPSS 0.0023

EPSS Percentile 45.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-401

Status draft

Affected Products (1)

io.vertx/vertx-core < 4.5.2Maven

Timeline

Published Mar 27, 2024

Tracked Since Feb 18, 2026