High severity vulnerability that affects com.typesafe.akka:akka-http-core_2.11 and com.typesafe.akka:akka-http-core_2.12 · CVE-2018-16131 · GitHub Advisory Database · GitHub

High severity vulnerability that affects com.typesafe.akka:akka-http-core_2.11 and com.typesafe.akka:akka-http-core_2.12

High severity GitHub Reviewed Published Oct 22, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

com.typesafe.akka:akka-http-core_2.11 (Maven)

Affected versions

>= 10.1.0, < 10.1.4

Patched versions

10.1.4

com.typesafe.akka:akka-http-core_2.12 (Maven)

>= 10.1.0, < 10.1.4

10.1.4

Description

The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb.

References

Published to the GitHub Advisory Database Oct 22, 2018

Reviewed Jun 16, 2020

Last updated Jan 9, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H