CVE-2020-27217: Buffer Overflow

November 13, 2020 (updated December 1, 2020)

In Eclipse Hono the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP protocol explicitly disallows a peer to send such messages, a hand crafted AMQP client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.

References

bugs.eclipse.org/bugs/show_bug.cgi?id=567068
nvd.nist.gov/vuln/detail/CVE-2020-27217

Detect and mitigate CVE-2020-27217 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →