CVE-2022-25897: Allocation of Resources Without Limits or Throttling

September 8, 2022 (updated September 13, 2022)

The package org.eclipse.milo:sdk-server before 0.6.8 is vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

References

github.com/eclipse/milo/commit/4534381760d7d9f0bf00cbf6a8449bb0d13c6ce5
github.com/eclipse/milo/issues/1030
github.com/eclipse/milo/pull/1031
nvd.nist.gov/vuln/detail/CVE-2022-25897
security.snyk.io/vuln/SNYK-JAVA-ORGECLIPSEMILO-2990191

Detect and mitigate CVE-2022-25897 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →