QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2014-3648

Back to search

CVE-2014-3648

Published: Jul 1, 2022

Modified: Aug 6, 2024

PUBLISHED

Description

The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exceptions when those endpoints can't be reached or can slow the server down by purposefully wasting it's time with slow endpoints. Similarly, one can provide whatever HTTP end point they want. This turns the server into a DDOS vector or an anonymizer for the posting of malware and so on.

VendorProductVersions

n/a

Jboss Aerogear

affected
Jboss Aerogear 1.0.0.final

Weaknesses (CWE)

CWE-400

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now