CVE-2021-42697 (High) detected in akka-http-core_2.13-10.1.14.jar

[mend-for-github-com]

CVE-2021-42697 - High Severity Vulnerability

Vulnerable Library - akka-http-core_2.13-10.1.14.jar

Akka Http: Modern, fast, asynchronous, streaming-first HTTP server and client.

Library home page: https://akka.io

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/com.typesafe.akka/akka-http-core_2.13/jars/akka-http-core_2.13-10.1.14.jar

Dependency Hierarchy:

• play-akka-http-server_2.13-2.8.8.jar (Root Library)
  • ❌ akka-http-core_2.13-10.1.14.jar (Vulnerable Library)

Found in HEAD commit: bd07c171f3e663057324c7cd6e77122963fcb27e

Found in base branch: 2.8.x

Vulnerability Details

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

Publish Date: 2021-11-02

URL: CVE-2021-42697

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html

Release Date: 2021-11-02

Fix Resolution (com.typesafe.akka:akka-http-core_2.13): 10.1.15

Direct dependency fix Resolution (com.typesafe.play:play-akka-http-server_2.13): 2.8.9