Description
CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- cometd / cometd>= 5.0.0, < 5.0.23 – >= 5.0.0, < 5.0.23
- cometd / cometd>= 6.0.0, < 6.0.19 – >= 6.0.0, < 6.0.19
- cometd / cometd>= 7.0.0, < 7.0.19 – >= 7.0.0, < 7.0.19
- cometd / cometd>= 8.0.0, < 8.0.9 – >= 8.0.0, < 8.0.9
References
- VENDOR_ADVISORYhttps://github.com/cometd/cometd/security/advisories/GHSA-cqgj-h8vf-4w59
- MISChttps://github.com/cometd/cometd/issues/2117
- PATCHhttps://github.com/cometd/cometd/pull/2118
- PATCHhttps://github.com/cometd/cometd/pull/2168
- PATCHhttps://github.com/cometd/cometd/pull/2169
- MISChttps://github.com/cometd/cometd/discussions/2116