TOR-021 — metrics-lib – Denial of service in DescriptorImpl getRawDescriptorBytes via descriptor file
The metrics-lib is vulnerable to a DoS attack if attackers can pass it an arbitrary descriptor file. The exploitation of this vulnerability leads to a denial of service. Depending on the usage, it can terminate the entire application that imports the metrics-lib if attackers have control over the contents of a descriptor file.
- Vulnerability type: CWE-789: Memory Allocation with Excessive Size Value
- Threat level: Moderate.
Recommendation: Catch the OutOfMemoryError exception thrown by the JVM and abort the whole parsing process.
Edited by Gaba