CVE-2026-33012

{"id": "CVE-2026-33012", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T05:16:15.200", "references": [{"url": "https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7."}, {"lang": "es", "value": "Micronaut Framework es un framework Java de pila completa basado en JVM dise\u00f1ado para construir aplicaciones JVM modulares y f\u00e1cilmente testeables. Las versiones 4.7.0 a la 4.10.16 usaban una cach\u00e9 ConcurrentHashMap ilimitada sin pol\u00edtica de desalojo en su DefaultHtmlErrorResponseBodyProvider. Si la aplicaci\u00f3n lanza una excepci\u00f3n cuyo mensaje puede ser influenciado por un atacante, (por ejemplo, incluyendo par\u00e1metros de valor de consulta de solicitud) podr\u00eda ser usado por atacantes remotos para causar un crecimiento de heap ilimitado y OutOfMemoryError, lo que lleva a DoS. Este problema ha sido solucionado en la versi\u00f3n 4.10.7."}], "lastModified": "2026-03-24T21:21:44.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C50C427C-305C-4A11-A5F5-E1AEB19AD09D", "versionEndExcluding": "4.10.17", "versionStartIncluding": "4.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}