Vulnerabilities > Eclipse > Vert X
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-04 | CVE-2024-8391 | Allocation of Resources Without Limits or Throttling vulnerability in Eclipse Vert.X In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc) | 7.5 |
| 2020-10-15 | CVE-2019-17640 | Path Traversal vulnerability in Eclipse Vert.X In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory. | 9.8 |
| 2018-10-10 | CVE-2018-12544 | XXE vulnerability in Eclipse Vert.X In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. | 9.8 |
| 2018-10-10 | CVE-2018-12542 | Path Traversal vulnerability in Eclipse Vert.X In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. | 9.8 |
| 2018-10-10 | CVE-2018-12541 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Eclipse Vert.X In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. | 6.5 |
| 2018-08-14 | CVE-2018-12537 | Improper Input Validation vulnerability in Eclipse Vert.X In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. | 5.3 |
| 2018-07-12 | CVE-2018-12540 | Cross-Site Request Forgery (CSRF) vulnerability in Eclipse Vert.X In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. | 8.8 |