Chapter 2. MTA 6.2.3

CVE-2024-30255: mta-hub-container envoy: HTTP/2 CPU exhaustion due to CONTINUATION frame flood

A flaw was found in how the Envoy proxy implements the HTTP/2 protocol stack, which impacts earlier versions of MTA. There are insufficient limitations placed on the number of CONTINUATION frames that can be sent within a single stream. If an unauthenticated remote attacker sends messages to vulnerable servers, this could cause issues by using up resources and causing a denial of service (DoS). Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-29180: webpack-dev-middleware lack of URL validation may lead to file leak

A flaw was found in the webpack-dev-middleware package, which impacts earlier versions of MTA, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer’s machine. The lack of normalization before calling the middleware also allows the attacker to perform path traversal attacks on the target environment. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-28849: follow-redirects package clears authorization headers

A flaw was found in the follow-redirects package that clears authorization headers, but it fails to clear the proxy-authentication headers. This flaw impacts earlier versions of MTA. It could lead to credential leakage, which could have a high impact on data confidentiality. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-27316: HTTP-2: httpd: CONTINUATION frames

A flaw was found in how Apache httpd implements the HTTP/2 protocol, which impacts earlier versions of MTA. This flaw means that there are insufficient limitations placed on the number of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up memory resources and lead to a denial of service (DoS) attack. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-45288: Golang net/http, x/net/http2: unlimited number of CONTINUATION frames can cause a denial-of-service (DoS) attack

A flaw was found in the implementation of the HTTP/2 protocol in the Go programming language, which impacts previous versions of MTA. There were insufficient limitations on the number of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a denial-of-service (DoS) attack. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-45857: Axios 1.5 exposes confidential data stored in cookies

A flaw was discovered in Axios 1.5.1 that accidentally revealed the confidential XSRF-TOKEN, stored in cookies, by including it in the HTTP header X-XSRF-TOKEN for every request made to any host, thereby allowing attackers to view sensitive information. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file

A flaw was found in Apache Commons Compress versions 1.3 through 1.25.0. The flaw allows for an infinite loop, posing potential danger by causing denial of service (DoS) and impacting availability. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-26308: Allocation of resources without limits or throttling vulnerability in Apache Commons Compress

A flaw was found in Apache Commons Compress versions. The flaw, known as Allocation of Resources Without Limits or Throttling, allows for the exploitation of resources without any limits or throttling. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-1300: `io.vertx:vertx-core`memory leak when a TCP server is configured with TLS and SNI support

A flaw was found in the Eclipse`Vert.x` toolkit. This flaw can cause a memory leak on TCP servers configured with TLS and SNI support and could allow attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory (OOM) error. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-1132: org.keycloak-keycloak-parent: keycloak path transversal in redirection validation

A flaw was discovered in Keycloak, where it does not properly validate URLs included in a redirect. This flaw could allow an attacker to construct a malicious request to bypass validation, and access other URLs and sensitive information within the domain or conduct further attacks. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2024-1023: Memory leak vulnerability in the Eclipse Vert.x Toolkit with Netty FastThreadLocal data structures

A flaw was found in the Eclipse`Vert.x` toolkit. This flaw can result in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, this can trigger a memory leak. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-26159: follow-redirects improper input validation due to the improper handling of URLs by the url.parse()

A flaw was found in the follow-redirects package. This flaw is caused by the improper handling of URLs by the url.parse() function. When new URL() returns an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-26364: css-tools improper input validation causes denial of service

A flaw was found in @adobe/css-tools, which could potentially lead to a minor denial of service (DoS) when parsing CSS. User interaction and privileges are not required to jeopardize an environment. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.

CVE-2023-48631: css-tools: regular expression denial of service

A flaw was found in @adobe/css-tools, which could lead to a regular expression denial of service (ReDoS) when attempting to parse CSS. Users are recommended to upgrade to MTA 6.2.3, which resolves this issue.