{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-29T02:18:39.666","vulnerabilities":[{"cve":{"id":"CVE-2021-21293","sourceIdentifier":"security-advisories@github.com","published":"2021-02-02T22:15:12.290","lastModified":"2026-06-17T03:35:13.087","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. The issue is fixed in version 0.14.15 for \"NIO1SocketServerGroup\". A \"maxConnections\" parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number. The \"NIO2SocketServerGroup\" has no such setting and is now deprecated. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xmw9-q7x9-j5qc."},{"lang":"es","value":"blaze es una biblioteca de Scala para construir pipelines asincrónicos, con un enfoque en la E/S de red.&#xa0;Todos los servidores que ejecutan blaze-core anterior a versión 0.14.15 están afectados por una vulnerabilidad en la que la aceptación de una conexión ilimitada conduce al agotamiento del control de archivos.&#xa0;Blaze, acepta conexiones incondicionalmente en un grupo de subprocesos dedicado.&#xa0;Esto tiene el efecto neto de amplificar la degradación en los servicios que no pueden manejar su carga de peticiones actual, ya que las conexiones entrantes aún se aceptan y agregan a una cola ilimitada.&#xa0;Cada conexión asigna un identificador de socket, lo que agota un recurso escaso del sistema operativo.&#xa0;Esto también puede confundir a los disyuntores de nivel superior que funcionan basándose en la detección de conexiones en fallo.&#xa0;La gran mayoría de los usuarios afectados lo utilizan como parte de http4s-blaze-server versiones anteriores a 0.21.16 e incluyéndola.&#xa0;http4s proporciona un mecanismo para limitar las conexiones abiertas,&#xa0;pero se aplica dentro del bucle de aceptación de Blaze, después de que se acepta la conexión y se abre el socket.&#xa0;Por lo tanto, el límite solo evita el número de conexiones que se pueden procesar simultáneamente, no el número de conexiones que se pueden mantener abiertas.&#xa0;El problema se solucionó en la versión 0.14.15 para \"NIO1SocketServerGroup\".&#xa0;Se agrega un parámetro \"maxConnections\", con un valor predeterminado de 512. Se rechazan las conexiones simultáneas más allá de este límite.&#xa0;Para ejecutar sin límites, lo cual no se recomienda, establezca un número negativo.&#xa0;El \"NIO2SocketServerGroup\" no tiene tal configuración y ahora está obsoleto.&#xa0;Existen varias posibles soluciones que se describen en el Aviso de GitHub referenciado GHSA-xmw9-q7x9-j5qc"}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"http4s","product":"blaze","versions":[{"version":"< 0.14.15","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","baseScore":5.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":10.0,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:typelevel:blaze:*:*:*:*:*:*:*:*","versionEndExcluding":"0.14.15","matchCriteriaId":"AE06DFF4-7550-4AC9-8645-72D090B9BFEE"}]}]}],"references":[{"url":"https://github.com/http4s/blaze/commit/4f786177f9fb71ab272f3a5f6c80bca3e5662aa1","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/http4s/blaze/commit/4f786177f9fb71ab272f3a5f6c80bca3e5662aa1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}