{
  "threat_severity" : "Moderate",
  "public_date" : "2024-09-04T16:15:09Z",
  "bugzilla" : {
    "description" : "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size",
    "id" : "2309758",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2309758"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). \nThis is fixed in the 4.5.10 version. \nNote this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)", "A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7052",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3.8",
    "package" : "io.vertx/vertx-grpc-client",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7052",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3.8",
    "package" : "io.vertx/vertx-grpc-server",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.8.6.redhat",
    "release_date" : "2024-09-23T00:00:00Z",
    "advisory" : "RHSA-2024:6437",
    "cpe" : "cpe:/a:redhat:quarkus:3.8::el8",
    "package" : "io.vertx/vertx-grpc-client:4.5.7.redhat-00003",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.8.6.redhat",
    "release_date" : "2024-09-23T00:00:00Z",
    "advisory" : "RHSA-2024:6437",
    "cpe" : "cpe:/a:redhat:quarkus:3.8::el8",
    "package" : "io.vertx/vertx-grpc-server:4.5.7.redhat-00003",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss EAP XP 5.0 Update 1.0",
    "release_date" : "2025-01-21T00:00:00Z",
    "advisory" : "RHSA-2025:0542",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0",
    "package" : "io.vertx/vertx-grpc"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.34.0-6",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.34.0-6",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.34.0-5",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.34.0-6",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.34.0-2",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-management-console-rhel8:1.34.0-5",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-operator-bundle:1.34.0-5",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-rhel8-operator:1.34.0-5",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-swf-builder-rhel8:1.34.0-6",
    "impact" : "moderate"
  }, {
    "product_name" : "RHOSS-1.34-RHEL-8",
    "release_date" : "2024-10-14T00:00:00Z",
    "advisory" : "RHSA-2024:8023",
    "cpe" : "cpe:/a:redhat:openshift_serverless:1.34::el8",
    "package" : "openshift-serverless-1/logic-swf-devmode-rhel8:1.34.0-6",
    "impact" : "moderate"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Affected",
    "package_name" : "io.vertx/vertx-grpc-server",
    "cpe" : "cpe:/a:redhat:serverless:1",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Affected",
    "package_name" : "io.vertx.vertx-grpc-server",
    "cpe" : "cpe:/a:redhat:quarkus:3",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Will not fix",
    "package_name" : "io.vertx/vertx-grpc-client",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Will not fix",
    "package_name" : "io.vertx/vertx-grpc-server",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Affected",
    "package_name" : "io.vertx/vertx-grpc",
    "cpe" : "cpe:/a:redhat:jbosseapxp",
    "impact" : "moderate"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-8391\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8391\nhttps://github.com/eclipse-vertx/vertx-grpc/issues/113\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/31" ],
  "name" : "CVE-2024-8391",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}