CVE-2020-27217: Improper Validation of Specified Quantity in Input in Eclipse Hono
In Eclipse Hono the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP protocol explicitly disallows a peer to send such messages, a hand crafted AMQP client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.
References
Detect and mitigate CVE-2020-27217 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →