Vulnerability-Lookup

CNVD-2022-15492

Vulnerability from cnvd - Published: 2022-03-01

Title

Object Computing micronaut资源管理错误漏洞

Description

Object Computing micronaut是美国Object Computing公司的一款基于JVM的全栈框架，它主要用于构建模块化微服务和无服务器应用程序。 Object Computing Micronaut存在资源管理错误漏洞，该漏洞源于在受影响的版本中，发送无效的Content Type标头会导致DefaultArgumentConversionContext中的内存泄露，因为此类型在静态状态下被错误地使用。＃＃＃ Impact发送无效的 Content Type标头会导致`DefaultArgumentConversionContext`中的内存泄露，因为此类型在静态状态下被错误地使用。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Object Computing micronaut资源管理错误漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2457-2263-mm9f

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-21700

Impacted products

Name
Object Computing Micronaut <3.2.7

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-21700"
    }
  },
  "description": "Object Computing micronaut\u662f\u7f8e\u56fdObject Computing\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8eJVM\u7684\u5168\u6808\u6846\u67b6\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u6a21\u5757\u5316\u5fae\u670d\u52a1\u548c\u65e0\u670d\u52a1\u5668\u5e94\u7528\u7a0b\u5e8f\u3002\n\nObject Computing Micronaut\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u53d7\u5f71\u54cd\u7684\u7248\u672c\u4e2d\uff0c\u53d1\u9001\u65e0\u6548\u7684Content Type\u6807\u5934\u4f1a\u5bfc\u81f4DefaultArgumentConversionContext\u4e2d\u7684\u5185\u5b58\u6cc4\u9732\uff0c\u56e0\u4e3a\u6b64\u7c7b\u578b\u5728\u9759\u6001\u72b6\u6001\u4e0b\u88ab\u9519\u8bef\u5730\u4f7f\u7528\u3002\uff03\uff03\uff03 Impact\u53d1\u9001\u65e0\u6548\u7684 Content Type\u6807\u5934\u4f1a\u5bfc\u81f4`DefaultArgumentConversionContext`\u4e2d\u7684\u5185\u5b58\u6cc4\u9732\uff0c\u56e0\u4e3a\u6b64\u7c7b\u578b\u5728\u9759\u6001\u72b6\u6001\u4e0b\u88ab\u9519\u8bef\u5730\u4f7f\u7528\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2457-2263-mm9f",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-15492",
  "openTime": "2022-03-01",
  "patchDescription": "Object Computing micronaut\u662f\u7f8e\u56fdObject Computing\u516c\u53f8\u7684\u4e00\u6b3e\u57fa\u4e8eJVM\u7684\u5168\u6808\u6846\u67b6\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u6a21\u5757\u5316\u5fae\u670d\u52a1\u548c\u65e0\u670d\u52a1\u5668\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nObject Computing Micronaut\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u53d7\u5f71\u54cd\u7684\u7248\u672c\u4e2d\uff0c\u53d1\u9001\u65e0\u6548\u7684Content Type\u6807\u5934\u4f1a\u5bfc\u81f4DefaultArgumentConversionContext\u4e2d\u7684\u5185\u5b58\u6cc4\u9732\uff0c\u56e0\u4e3a\u6b64\u7c7b\u578b\u5728\u9759\u6001\u72b6\u6001\u4e0b\u88ab\u9519\u8bef\u5730\u4f7f\u7528\u3002\uff03\uff03\uff03 Impact\u53d1\u9001\u65e0\u6548\u7684 Content Type\u6807\u5934\u4f1a\u5bfc\u81f4`DefaultArgumentConversionContext`\u4e2d\u7684\u5185\u5b58\u6cc4\u9732\uff0c\u56e0\u4e3a\u6b64\u7c7b\u578b\u5728\u9759\u6001\u72b6\u6001\u4e0b\u88ab\u9519\u8bef\u5730\u4f7f\u7528\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Object Computing micronaut\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Object Computing Micronaut \u003c3.2.7"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-21700",
  "serverity": "\u4e2d",
  "submitTime": "2022-01-19",
  "title": "Object Computing micronaut\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2022-21700 (GCVE-0-2022-21700)

Vulnerability from cvelistv5 – Published: 2022-01-18 22:15 – Updated: 2025-04-23 19:10

Title

Memory leak in micronaut-core

Summary

Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state. ### Impact Sending an invalid Content Type header leads to memory leak in `DefaultArgumentConversionContext` as this type is erroneously used in static state. ### Patches The problem is patched in Micronaut 3.2.7 and above. ### Workarounds The default content type binder can be replaced in an existing Micronaut application to mitigate the issue: ```java package example; import java.util.List; import io.micronaut.context.annotation.Replaces; import io.micronaut.core.convert.ConversionService; import io.micronaut.http.MediaType; import io.micronaut.http.bind.DefaultRequestBinderRegistry; import io.micronaut.http.bind.binders.RequestArgumentBinder; import jakarta.inject.Singleton; @Singleton @Replaces(DefaultRequestBinderRegistry.class) class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry { public FixedRequestBinderRegistry(ConversionService conversionService, List<RequestArgumentBinder> binders) { super(conversionService, binders); } @Override protected void registerDefaultConverters(ConversionService<?> conversionService) { super.registerDefaultConverters(conversionService); conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -> { try { return MediaType.of(charSequence); } catch (IllegalArgumentException e) { return null; } }); } } ``` ### References Commit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Micronaut Core](https://github.com/micronaut-projects/micronaut-core/issues) * Email us at [info@micronaut.io](mailto:info@micronaut.io)

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/micronaut-projects/micronaut-c…	x_refsource_CONFIRM
	https://github.com/micronaut-projects/micronaut-c…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	micronaut-projects	micronaut-core	Affected: < 3.2.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:53:34.717Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2457-2263-mm9f"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21700",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:58:04.498253Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:10:23.677Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "micronaut-core",
          "vendor": "micronaut-projects",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.2.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state. ### Impact Sending an invalid Content Type header leads to memory leak in `DefaultArgumentConversionContext` as this type is erroneously used in static state. ### Patches The problem is patched in Micronaut 3.2.7 and above. ### Workarounds The default content type binder can be replaced in an existing Micronaut application to mitigate the issue: ```java package example; import java.util.List; import io.micronaut.context.annotation.Replaces; import io.micronaut.core.convert.ConversionService; import io.micronaut.http.MediaType; import io.micronaut.http.bind.DefaultRequestBinderRegistry; import io.micronaut.http.bind.binders.RequestArgumentBinder; import jakarta.inject.Singleton; @Singleton @Replaces(DefaultRequestBinderRegistry.class) class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry { public FixedRequestBinderRegistry(ConversionService conversionService, List\u003cRequestArgumentBinder\u003e binders) { super(conversionService, binders); } @Override protected void registerDefaultConverters(ConversionService\u003c?\u003e conversionService) { super.registerDefaultConverters(conversionService); conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -\u003e { try { return MediaType.of(charSequence); } catch (IllegalArgumentException e) { return null; } }); } } ``` ### References Commit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Micronaut Core](https://github.com/micronaut-projects/micronaut-core/issues) * Email us at [info@micronaut.io](mailto:info@micronaut.io)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-18T22:15:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2457-2263-mm9f"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3"
        }
      ],
      "source": {
        "advisory": "GHSA-2457-2263-mm9f",
        "discovery": "UNKNOWN"
      },
      "title": "Memory leak in micronaut-core",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21700",
          "STATE": "PUBLIC",
          "TITLE": "Memory leak in micronaut-core"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "micronaut-core",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 3.2.7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "micronaut-projects"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state. ### Impact Sending an invalid Content Type header leads to memory leak in `DefaultArgumentConversionContext` as this type is erroneously used in static state. ### Patches The problem is patched in Micronaut 3.2.7 and above. ### Workarounds The default content type binder can be replaced in an existing Micronaut application to mitigate the issue: ```java package example; import java.util.List; import io.micronaut.context.annotation.Replaces; import io.micronaut.core.convert.ConversionService; import io.micronaut.http.MediaType; import io.micronaut.http.bind.DefaultRequestBinderRegistry; import io.micronaut.http.bind.binders.RequestArgumentBinder; import jakarta.inject.Singleton; @Singleton @Replaces(DefaultRequestBinderRegistry.class) class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry { public FixedRequestBinderRegistry(ConversionService conversionService, List\u003cRequestArgumentBinder\u003e binders) { super(conversionService, binders); } @Override protected void registerDefaultConverters(ConversionService\u003c?\u003e conversionService) { super.registerDefaultConverters(conversionService); conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -\u003e { try { return MediaType.of(charSequence); } catch (IllegalArgumentException e) { return null; } }); } } ``` ### References Commit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Micronaut Core](https://github.com/micronaut-projects/micronaut-core/issues) * Email us at [info@micronaut.io](mailto:info@micronaut.io)"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2457-2263-mm9f",
              "refsource": "CONFIRM",
              "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2457-2263-mm9f"
            },
            {
              "name": "https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3",
              "refsource": "MISC",
              "url": "https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-2457-2263-mm9f",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-21700",
    "datePublished": "2022-01-18T22:15:13.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:10:23.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-15492

CVE-2022-21700 (GCVE-0-2022-21700)

Tags

Sightings

Nomenclature