GHSA-2457-2263-MM9F

Vulnerability from github – Published: 2022-01-21 23:19 – Updated: 2022-01-19 19:56
VLAI?
Summary
Memory leak in micronaut-core
Details

Impact

Sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state.

Patches

The problem is patched in Micronaut 3.2.7 and above.

Workarounds

The default content type binder can be replaced in an existing Micronaut application to mitigate the issue:

package example;

import java.util.List;
import io.micronaut.context.annotation.Replaces;
import io.micronaut.core.convert.ConversionService;
import io.micronaut.http.MediaType;
import io.micronaut.http.bind.DefaultRequestBinderRegistry;
import io.micronaut.http.bind.binders.RequestArgumentBinder;
import jakarta.inject.Singleton;

@Singleton
@Replaces(DefaultRequestBinderRegistry.class)
class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry {

    public FixedRequestBinderRegistry(ConversionService conversionService,
                                      List<RequestArgumentBinder> binders) {
        super(conversionService, binders);
    }

    @Override
    protected void registerDefaultConverters(ConversionService<?> conversionService) {
        super.registerDefaultConverters(conversionService);
        conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -> {
            try {
                return MediaType.of(charSequence);
            } catch (IllegalArgumentException e) {
                return null;
            }
        });
    }
}

References

Commit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3

For more information

If you have any questions or comments about this advisory:

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T19:56:29Z",
    "nvd_published_at": "2022-01-18T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nSending an invalid Content Type header leads to memory leak in `DefaultArgumentConversionContext` as this type is erroneously used in static state.\n\n### Patches\n\nThe problem is patched in Micronaut 3.2.7 and above.\n\n### Workarounds\n\nThe default content type binder can be replaced in an existing Micronaut application to mitigate the issue:\n\n```java\npackage example;\n\nimport java.util.List;\nimport io.micronaut.context.annotation.Replaces;\nimport io.micronaut.core.convert.ConversionService;\nimport io.micronaut.http.MediaType;\nimport io.micronaut.http.bind.DefaultRequestBinderRegistry;\nimport io.micronaut.http.bind.binders.RequestArgumentBinder;\nimport jakarta.inject.Singleton;\n\n@Singleton\n@Replaces(DefaultRequestBinderRegistry.class)\nclass FixedRequestBinderRegistry extends DefaultRequestBinderRegistry {\n\n    public FixedRequestBinderRegistry(ConversionService conversionService,\n                                      List\u003cRequestArgumentBinder\u003e binders) {\n        super(conversionService, binders);\n    }\n\n    @Override\n    protected void registerDefaultConverters(ConversionService\u003c?\u003e conversionService) {\n        super.registerDefaultConverters(conversionService);\n        conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -\u003e {\n            try {\n                return MediaType.of(charSequence);\n            } catch (IllegalArgumentException e) {\n                return null;\n            }\n        });\n    }\n}\n```\n\n### References\n\nCommit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [Micronaut Core](https://github.com/micronaut-projects/micronaut-core/issues)\n* Email us at [info@micronaut.io](mailto:info@micronaut.io)\n",
  "id": "GHSA-2457-2263-mm9f",
  "modified": "2022-01-19T19:56:29Z",
  "published": "2022-01-21T23:19:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2457-2263-mm9f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Memory leak in micronaut-core"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.