Skip to content

Apache Geronimo Hash Collisions Cause DoS

High severity GitHub Reviewed Published May 13, 2022 to the GitHub Advisory Database • Updated Jan 15, 2024

Package

maven org.apache.geronimo:geronimo (Maven)

Affected versions

< 2.2.1

Patched versions

2.2.1

Description

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

References

Published by the National Vulnerability Database Dec 30, 2011
Published to the GitHub Advisory Database May 13, 2022
Last updated Jan 15, 2024
Reviewed Jan 15, 2024

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(98th percentile)

Weaknesses

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Learn more on MITRE.

CVE ID

CVE-2011-5034

GHSA ID

GHSA-v3h8-rw48-h4gr

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.