CVE-2014-3648

EPSS 0.33%
Veröffentlicht 01.07.2022 14:15:08
Zuletzt bearbeitet 21.11.2024 02:08:34
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer for the posting of malware and so on.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Jboss Aerogear Version1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.548

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://issues.redhat.com/browse/AEROGEAR-6091

Vendor Advisory

Issue Tracking

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2014-3648

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-3648

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-3648

EUVD