CVE-2024-52581

Exploit

EPSS 0.76%
Veröffentlicht 20.11.2024 21:15:08
Zuletzt bearbeitet 25.11.2024 14:15:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Litestar allows unbounded resource consumption (DoS vulnerability)

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Litestar ≫ Litestar Version < 2.13.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.76%	0.503

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97

Product

https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138

Patch

https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj

Vendor Advisory

Exploit

https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q

https://nvd.nist.gov/vuln/detail/CVE-2024-52581

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52581

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52581

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-52581