CVE-2014-3648
Last modified
CVE-2014-3648 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. EPSS estimates a 0.82% chance of exploitation in the next 30 days.
Description
The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer for the posting of malware and so on.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss Aerogear | 1.0.0 |
References
- https://issues.redhat.com/browse/AEROGEAR-6091Issue Tracking, Permissions Required, Vendor Advisory
- https://issues.redhat.com/browse/AEROGEAR-6091Issue Tracking, Permissions Required, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-3648?
How severe is CVE-2014-3648?
How do I fix CVE-2014-3648?
Are you affected by CVE-2014-3648?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST