CVE-2022-21700: Memory leak in micronaut-core
First published: Tue Jan 18 2022(Updated: )
Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state. ### Impact Sending an invalid Content Type header leads to memory leak in `DefaultArgumentConversionContext` as this type is erroneously used in static state. ### Patches The problem is patched in Micronaut 3.2.7 and above. ### Workarounds The default content type binder can be replaced in an existing Micronaut application to mitigate the issue: ```java package example; import java.util.List; import io.micronaut.context.annotation.Replaces; import io.micronaut.core.convert.ConversionService; import io.micronaut.http.MediaType; import io.micronaut.http.bind.DefaultRequestBinderRegistry; import io.micronaut.http.bind.binders.RequestArgumentBinder; import jakarta.inject.Singleton; @Singleton @Replaces(DefaultRequestBinderRegistry.class) class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry { public FixedRequestBinderRegistry(ConversionService conversionService, List<RequestArgumentBinder> binders) { super(conversionService, binders); } @Override protected void registerDefaultConverters(ConversionService<?> conversionService) { super.registerDefaultConverters(conversionService); conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -> { try { return MediaType.of(charSequence); } catch (IllegalArgumentException e) { return null; } }); } } ``` ### References Commit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Micronaut Core](https://github.com/micronaut-projects/micronaut-core/issues) * Email us at [info@micronaut.io](mailto:info@micronaut.io)
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Objectcomputing Micronaut | <3.2.7 |
Remedy
https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-21700?
CVE-2022-21700 is a vulnerability in the Micronaut framework that can lead to a memory leak when an invalid Content Type header is sent.
How severe is CVE-2022-21700?
CVE-2022-21700 has a severity rating of 5.3, which is considered medium.
Which versions of Micronaut are affected by CVE-2022-21700?
Versions up to and exclusive of 3.2.7 of Micronaut are affected by CVE-2022-21700.
How can I fix CVE-2022-21700?
To fix CVE-2022-21700, it is recommended to upgrade to a version of Micronaut that is not affected by the vulnerability.
Where can I find more information about CVE-2022-21700?
You can find more information about CVE-2022-21700 in the Micronaut Core GitHub repository and the security advisories page.
- collector/nvd-index
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/title
- agent/softwarecombine
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/objectcomputing
- canonical/objectcomputing micronaut