CVE-2020-14340 : A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles

A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.

Published 2021-06-02 13:15:08

Updated 2022-07-25 11:35:14

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Exploit prediction scoring system (EPSS) score for CVE-2020-14340

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-14340

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-14340

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2020-14340

https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1860218

1860218 – (CVE-2020-14340) CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS
Issue Tracking;Vendor Advisory

Products affected by CVE-2020-14340

Redhat » Jboss Enterprise Application Platform » Version: 5.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Operations Network » Version: 3.0
cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Fuse » Version: 6.0.0
cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Fuse » Version: 7.0.0
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Data Virtualization » Version: 6.0.0
cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:-:*:*:*:*:*:*
Matching versions
Redhat » Jboss Data Grid » Version: 7.0.0
cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Data Grid » Version: 6.0.0
cpe:2.3:a:redhat:jboss_data_grid:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Brms » Version: 5
cpe:2.3:a:redhat:jboss_brms:5:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Brms » Version: 6
cpe:2.3:a:redhat:jboss_brms:6:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Soa Platform » Version: 5
cpe:2.3:a:redhat:jboss_soa_platform:5:*:*:*:*:*:*:*
Matching versions
Redhat » Xnio
Versions from including (>=) 3.6.1 and before (<) 3.7.9
cpe:2.3:a:redhat:xnio:*:*:*:*:*:*:*:*
Matching versions
Redhat » Xnio
Versions from including (>=) 3.8.0 and before (<) 3.8.2
cpe:2.3:a:redhat:xnio:*:*:*:*:*:*:*:*
Matching versions
Redhat » Xnio » Version: 3.6.0 Update Beta1
cpe:2.3:a:redhat:xnio:3.6.0:beta1:*:*:*:*:*:*
Matching versions
Redhat » Xnio » Version: 3.6.0 Update Beta2
cpe:2.3:a:redhat:xnio:3.6.0:beta2:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Console » Version: 1.9.0
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Policy » Version: 1.14.0
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Unified Data Repository » Version: 1.14.0
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Security Edge Protection Proxy » Version: 1.15.0
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Repository Function » Version: 1.14.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Service Communication Proxy » Version: 1.14.0
cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2020-14340

Exploit prediction scoring system (EPSS) score for CVE-2020-14340

CVSS scores for CVE-2020-14340

CWE ids for CVE-2020-14340

References for CVE-2020-14340

Products affected by CVE-2020-14340