CWE-405
Allowed-with-ReviewAsymmetric Resource Consumption (Amplification)
Abstraction: Class · Status: Incomplete
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
85 vulnerabilities reference this CWE, most recent first.
CVE-2024-49363 (GCVE-0-2024-49363)
Vulnerability from cvelistv5 – Published: 2024-12-18 19:24 – Updated: 2024-12-19 16:46| URL | Tags |
|---|---|
| https://github.com/misskey-dev/misskey/security/a… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| misskey-dev | misskey |
Affected:
< CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-19T16:46:18.558266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T16:46:26.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "misskey",
"vendor": "misskey-dev",
"versions": [
{
"status": "affected",
"version": "\u003c CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request.\nLeading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-18T19:24:34.399Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v236"
}
],
"source": {
"advisory": "GHSA-gq5q-c77c-v236",
"discovery": "UNKNOWN"
},
"title": "Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49363",
"datePublished": "2024-12-18T19:24:34.399Z",
"dateReserved": "2024-10-14T13:56:34.810Z",
"dateUpdated": "2024-12-19T16:46:26.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45590 (GCVE-0-2024-45590)
Vulnerability from cvelistv5 – Published: 2024-09-10 15:54 – Updated: 2024-09-10 18:47- CWE-405 - Asymmetric Resource Consumption (Amplification)
| URL | Tags |
|---|---|
| https://github.com/expressjs/body-parser/security… | x_refsource_CONFIRM |
| https://github.com/expressjs/body-parser/commit/b… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| expressjs | body-parser |
Affected:
< 1.20.3
|
|
| expressjs | body-parser |
Affected:
0 , < 1.20.3
(custom)
cpe:2.3:a:expressjs:body-parser:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:expressjs:body-parser:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "body-parser",
"vendor": "expressjs",
"versions": [
{
"lessThan": "1.20.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45590",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T18:42:41.773305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T18:47:22.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "body-parser",
"vendor": "expressjs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "body-parser is Node.js body parsing middleware. body-parser \u003c1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:54:02.330Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7"
},
{
"name": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce"
}
],
"source": {
"advisory": "GHSA-qwcr-r2fm-qrc7",
"discovery": "UNKNOWN"
},
"title": "body-parser vulnerable to denial of service when url encoding is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45590",
"datePublished": "2024-09-10T15:54:02.330Z",
"dateReserved": "2024-09-02T16:00:02.422Z",
"dateUpdated": "2024-09-10T18:47:22.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40705 (GCVE-0-2024-40705)
Vulnerability from cvelistv5 – Published: 2024-08-15 16:48 – Updated: 2024-08-19 20:35- CWE-405 - Asymmetric Resource Consumption (Amplification)
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7160855 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | InfoSphere Information Server |
Affected:
11.7
cpe:2.3:a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T20:35:30.671374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T20:35:38.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "InfoSphere Information Server",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM InfoSphere Information Server could allow an authenticated user to consume file space resources due to unrestricted file uploads. IBM X-Force ID: 298279."
}
],
"value": "IBM InfoSphere Information Server could allow an authenticated user to consume file space resources due to unrestricted file uploads. IBM X-Force ID: 298279."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T16:48:03.025Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7160855"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/298279"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM InfoSphere Information Server denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-40705",
"datePublished": "2024-08-15T16:48:03.025Z",
"dateReserved": "2024-07-08T19:31:12.239Z",
"dateUpdated": "2024-08-19T20:35:38.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39743 (GCVE-0-2024-39743)
Vulnerability from cvelistv5 – Published: 2024-07-08 13:14 – Updated: 2024-08-02 04:26- CWE-405 - Asymmetric Resource Consumption (Amplification)
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7159714 | vendor-advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | MQ Operator |
Affected:
2.0.24, 3.2.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T17:41:53.322390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T19:58:56.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.002Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7159714"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/297172"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MQ Operator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "2.0.24, 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 IBM MQ Container Developer Edition is vulnerable to denial of service caused by incorrect memory de-allocation. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 297172."
}
],
"value": "IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 IBM MQ Container Developer Edition is vulnerable to denial of service caused by incorrect memory de-allocation. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 297172."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T13:48:40.013Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7159714"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/297172"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM MQ Container denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-39743",
"datePublished": "2024-07-08T13:14:43.915Z",
"dateReserved": "2024-06-28T09:34:46.056Z",
"dateUpdated": "2024-08-02T04:26:16.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34703 (GCVE-0-2024-34703)
Vulnerability from cvelistv5 – Published: 2024-06-30 20:22 – Updated: 2026-01-30 19:54| URL | Tags |
|---|---|
| https://github.com/randombit/botan/security/advis… | x_refsource_CONFIRM |
| https://github.com/randombit/botan/commit/08c404b… | x_refsource_MISC |
| https://github.com/randombit/botan/commit/94e9154… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:randombit:botan:3.30:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "botan",
"vendor": "randombit",
"versions": [
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.30",
"versionType": "custom"
},
{
"lessThan": "2.19.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T14:55:26.269940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T15:13:21.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7"
},
{
"name": "https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4"
},
{
"name": "https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "botan",
"vendor": "randombit",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha0, \u003c 3.3.0"
},
{
"status": "affected",
"version": "\u003c 2.19.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T19:54:58.434Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7"
},
{
"name": "https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4"
},
{
"name": "https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a"
}
],
"source": {
"advisory": "GHSA-w4g2-7m2h-7xj7",
"discovery": "UNKNOWN"
},
"title": "Botan Vulnerable to Denial of Service Due to Overly Large Elliptic Curve Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34703",
"datePublished": "2024-06-30T20:22:32.910Z",
"dateReserved": "2024-05-07T13:53:00.132Z",
"dateUpdated": "2026-01-30T19:54:58.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-34702 (GCVE-0-2024-34702)
Vulnerability from cvelistv5 – Published: 2024-07-08 16:22 – Updated: 2024-08-02 02:59- CWE-405 - Asymmetric Resource Consumption (Amplification)
| URL | Tags |
|---|---|
| https://github.com/randombit/botan/security/advis… | x_refsource_CONFIRM |
| https://github.com/randombit/botan/pull/4034 | x_refsource_MISC |
| https://github.com/randombit/botan/pull/4045 | x_refsource_MISC |
| https://github.com/randombit/botan/pull/4047 | x_refsource_MISC |
| https://github.com/randombit/botan/pull/4052 | x_refsource_MISC |
| https://github.com/randombit/botan/pull/4186 | x_refsource_MISC |
| https://github.com/randombit/botan/pull/4187 | x_refsource_MISC |
| https://github.com/randombit/botan/commit/21dccc8… | x_refsource_MISC |
| https://github.com/randombit/botan/commit/39535f1… | x_refsource_MISC |
| https://github.com/randombit/botan/commit/477822a… | x_refsource_MISC |
| https://github.com/randombit/botan/commit/7606d70… | x_refsource_MISC |
| https://github.com/randombit/botan/commit/c326482… | x_refsource_MISC |
| https://github.com/randombit/botan/commit/ff704b1… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:randombit:botan:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "botan",
"vendor": "randombit",
"versions": [
{
"lessThan": "3.5.0",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.19.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T17:49:00.765800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:14:23.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j"
},
{
"name": "https://github.com/randombit/botan/pull/4034",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/pull/4034"
},
{
"name": "https://github.com/randombit/botan/pull/4045",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/pull/4045"
},
{
"name": "https://github.com/randombit/botan/pull/4047",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/pull/4047"
},
{
"name": "https://github.com/randombit/botan/pull/4052",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/pull/4052"
},
{
"name": "https://github.com/randombit/botan/pull/4186",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/pull/4186"
},
{
"name": "https://github.com/randombit/botan/pull/4187",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/pull/4187"
},
{
"name": "https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e"
},
{
"name": "https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac"
},
{
"name": "https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1"
},
{
"name": "https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf"
},
{
"name": "https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41"
},
{
"name": "https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "botan",
"vendor": "randombit",
"versions": [
{
"status": "affected",
"version": "\u003c 2.19.5"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints. An attacker who presented a certificate chain which contained a very large number of names in the SubjectAlternativeName, signed by a CA certificate which contained a large number of name constraints, could cause a denial of service. The problem has been addressed in Botan 3.5.0 and a partial backport has also been applied and is included in Botan 2.19.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T16:22:37.770Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j"
},
{
"name": "https://github.com/randombit/botan/pull/4034",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/pull/4034"
},
{
"name": "https://github.com/randombit/botan/pull/4045",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/pull/4045"
},
{
"name": "https://github.com/randombit/botan/pull/4047",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/pull/4047"
},
{
"name": "https://github.com/randombit/botan/pull/4052",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/pull/4052"
},
{
"name": "https://github.com/randombit/botan/pull/4186",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/pull/4186"
},
{
"name": "https://github.com/randombit/botan/pull/4187",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/pull/4187"
},
{
"name": "https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e"
},
{
"name": "https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac"
},
{
"name": "https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1"
},
{
"name": "https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf"
},
{
"name": "https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41"
},
{
"name": "https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8"
}
],
"source": {
"advisory": "GHSA-5gg9-hqpr-r58j",
"discovery": "UNKNOWN"
},
"title": "Botan has a Denial of Service Due to Excessive Name Constraints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34702",
"datePublished": "2024-07-08T16:22:37.770Z",
"dateReserved": "2024-05-07T13:53:00.132Z",
"dateUpdated": "2024-08-02T02:59:22.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28214 (GCVE-0-2024-28214)
Vulnerability from cvelistv5 – Published: 2024-03-07 04:49 – Updated: 2024-11-08 17:07- CWE-405 - Asymmetric Resource Consumption (Amplification)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "NAVER Security Advisory",
"tags": [
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2024-28214.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:46:08.193153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T17:07:55.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "nGrinder",
"vendor": "NAVER",
"versions": [
{
"status": "unaffected",
"version": "3.5.9"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter St\u00f6ckli of GitHub Security Lab"
}
],
"descriptions": [
{
"lang": "en",
"value": "nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T04:12:38.448Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"name": "NAVER Security Advisory",
"url": "https://cve.naver.com/detail/cve-2024-28214.html"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2024-28214",
"datePublished": "2024-03-07T04:49:57.531Z",
"dateReserved": "2024-03-07T02:38:58.221Z",
"dateUpdated": "2024-11-08T17:07:55.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11187 (GCVE-0-2024-11187)
Vulnerability from cvelistv5 – Published: 2025-01-29 21:40 – Updated: 2025-02-11 19:02- CWE-405 - Asymmetric Resource Consumption (Amplification)
| Vendor | Product | Version | |
|---|---|---|---|
| ISC | BIND 9 |
Affected:
9.11.0 , ≤ 9.11.37
(custom)
Affected: 9.16.0 , ≤ 9.16.50 (custom) Affected: 9.18.0 , ≤ 9.18.32 (custom) Affected: 9.20.0 , ≤ 9.20.4 (custom) Affected: 9.21.0 , ≤ 9.21.3 (custom) Affected: 9.11.3-S1 , ≤ 9.11.37-S1 (custom) Affected: 9.16.8-S1 , ≤ 9.16.50-S1 (custom) Affected: 9.18.11-S1 , ≤ 9.18.32-S1 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T15:27:46.174106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T15:27:58.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-11T19:02:32.914Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0002/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BIND 9",
"vendor": "ISC",
"versions": [
{
"lessThanOrEqual": "9.11.37",
"status": "affected",
"version": "9.11.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.16.50",
"status": "affected",
"version": "9.16.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.18.32",
"status": "affected",
"version": "9.18.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.20.4",
"status": "affected",
"version": "9.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.21.3",
"status": "affected",
"version": "9.21.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.11.37-S1",
"status": "affected",
"version": "9.11.3-S1",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.16.50-S1",
"status": "affected",
"version": "9.16.8-S1",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.18.32-S1",
"status": "affected",
"version": "9.18.11-S1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ISC would like to thank Toshifumi Sakaguchi for bringing this vulnerability to our attention."
}
],
"datePublic": "2025-01-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure.\nThis issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1."
}
],
"exploits": [
{
"lang": "en",
"value": "We are not aware of any active exploits."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A `named` instance vulnerable to this issue can be compelled to consume excessive CPU resources up to the point where exhaustion of resources effectively prevents the server from responding to other client queries. This issue is most likely to affect resolvers but could also degrade authoritative server performance."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T21:40:11.942Z",
"orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"shortName": "isc"
},
"references": [
{
"name": "CVE-2024-11187",
"tags": [
"vendor-advisory"
],
"url": "https://kb.isc.org/docs/cve-2024-11187"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.33, 9.20.5, 9.21.4, or 9.18.33-S1."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Many records in the additional section cause CPU exhaustion",
"workarounds": [
{
"lang": "en",
"value": "Setting option `minimal-responses yes;` provides an effective workaround."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"assignerShortName": "isc",
"cveId": "CVE-2024-11187",
"datePublished": "2025-01-29T21:40:11.942Z",
"dateReserved": "2024-11-13T17:20:48.660Z",
"dateUpdated": "2025-02-11T19:02:32.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0450 (GCVE-0-2024-0450)
Vulnerability from cvelistv5 – Published: 2024-03-19 15:12 – Updated: 2025-11-03 21:50| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.8.19
(python)
Affected: 3.9.0 , < 3.9.19 (python) Affected: 3.10.0 , < 3.10.14 (python) Affected: 3.11.0 , < 3.11.8 (python) Affected: 3.12.0 , < 3.12.2 (python) Affected: 3.13.0a1 , < 3.13.0a3 (python) |
|
| python | cpython |
Affected:
0 , < 3.8.18
(custom)
Affected: 3.9.18 Affected: 3.10.13 Affected: 3.11.7 Affected: 3.12.1 cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:50:58.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/python/cpython/issues/109858"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.bamsoftware.com/hacks/zipbomb/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/20/5"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250411-0005/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00005.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cpython",
"vendor": "python",
"versions": [
{
"lessThan": "3.8.18",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.9.18"
},
{
"status": "affected",
"version": "3.10.13"
},
{
"status": "affected",
"version": "3.11.7"
},
{
"status": "affected",
"version": "3.12.1"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0450",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T14:30:38.300055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T15:00:26.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.8.19",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.9.19",
"status": "affected",
"version": "3.9.0",
"versionType": "python"
},
{
"lessThan": "3.10.14",
"status": "affected",
"version": "3.10.0",
"versionType": "python"
},
{
"lessThan": "3.11.8",
"status": "affected",
"version": "3.11.0",
"versionType": "python"
},
{
"lessThan": "3.12.2",
"status": "affected",
"version": "3.12.0",
"versionType": "python"
},
{
"lessThan": "3.13.0a3",
"status": "affected",
"version": "3.13.0a1",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eAn issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe zipfile module is vulnerable to \u201cquoted-overlap\u201d zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to \u201cquoted-overlap\u201d zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T19:24:15.993Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/109858"
},
{
"url": "https://www.bamsoftware.com/hacks/zipbomb/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/20/5"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Quoted zip-bomb protection for zipfile",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2024-0450",
"datePublished": "2024-03-19T15:12:07.789Z",
"dateReserved": "2024-01-11T22:16:41.964Z",
"dateUpdated": "2025-11-03T21:50:58.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2992 (GCVE-0-2023-2992)
Vulnerability from cvelistv5 – Published: 2023-06-26 19:44 – Updated: 2024-09-16 14:51- CWE-405 - Asymmetric Resource Consumption (Amplification)
| Vendor | Product | Version | |
|---|---|---|---|
| Lenovo | System Management Module (SMM) |
Affected:
various
|
|
| Lenovo | Fan Power Controller (FPC) |
Affected:
various
|
|
| lenovo | nextscale_n1200_enclosure_firmware |
Affected:
0 , < fhet60b-3.40
(custom)
cpe:2.3:o:lenovo:nextscale_n1200_enclosure_firmware:-:*:*:*:*:*:*:* |
|
| lenovo | thinkagile_cp-cb-10e_firmware |
Affected:
0 , < tesm38c-1.2
(custom)
cpe:2.3:o:lenovo:thinkagile_cp-cb-10e_firmware:-:*:*:*:*:*:*:* |
|
| lenovo | thinkagile_cp-cb-10_firmware |
Affected:
0 , < tesm38c-1.2
(custom)
cpe:2.3:o:lenovo:thinkagile_cp-cb-10_firmware:-:*:*:*:*:*:*:* |
|
| lenovo | thinkagile_hx_enclosure_firmware |
Affected:
0 , < tesm38c-1.2
(custom)
cpe:2.3:o:lenovo:thinkagile_hx_enclosure_firmware:-:*:*:*:*:*:*:* |
|
| lenovo | thinkagile_vx_enclosure_firmware |
Affected:
0 , < tesm38c-1.2
(custom)
cpe:2.3:o:lenovo:thinkagile_vx_enclosure_firmware:-:*:*:*:*:*:*:* |
|
| lenovo | thinksystem_d2_enclosure_firmware |
Affected:
0 , < tesm38c-1.2
(custom)
cpe:2.3:o:lenovo:thinksystem_d2_enclosure_firmware:-:*:*:*:*:*:*:* |
|
| lenovo | thinksystem_da240_enclosure_firmware |
Affected:
0 , < tesm38c-1.2
(custom)
cpe:2.3:o:lenovo:thinksystem_da240_enclosure_firmware:-:*:*:*:*:*:*:* |
|
| lenovo | thinksystem_dw612_enclosure_firmware |
Affected:
0 , < tesm38c-1.2
(custom)
cpe:2.3:o:lenovo:thinksystem_dw612_enclosure_firmware:-:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:lenovo:nextscale_n1200_enclosure_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nextscale_n1200_enclosure_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "fhet60b-3.40",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:lenovo:thinkagile_cp-cb-10e_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thinkagile_cp-cb-10e_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "tesm38c-1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:lenovo:thinkagile_cp-cb-10_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thinkagile_cp-cb-10_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "tesm38c-1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:lenovo:thinkagile_hx_enclosure_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thinkagile_hx_enclosure_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "tesm38c-1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:lenovo:thinkagile_vx_enclosure_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thinkagile_vx_enclosure_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "tesm38c-1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:lenovo:thinksystem_d2_enclosure_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thinksystem_d2_enclosure_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "tesm38c-1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:lenovo:thinksystem_da240_enclosure_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thinksystem_da240_enclosure_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "tesm38c-1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:lenovo:thinksystem_dw612_enclosure_firmware:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "thinksystem_dw612_enclosure_firmware",
"vendor": "lenovo",
"versions": [
{
"lessThan": "tesm38c-1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-19T18:18:54.770375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T18:19:01.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-127357"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "System Management Module (SMM)",
"vendor": "Lenovo",
"versions": [
{
"status": "affected",
"version": "various"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Fan Power Controller (FPC)",
"vendor": "Lenovo",
"versions": [
{
"status": "affected",
"version": "various"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated \u0026nbsp;denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. Rebooting SMM or FPC will restore access to the management web server."
}
],
"value": "An unauthenticated \u00a0denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. Rebooting SMM or FPC will restore access to the management web server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T14:51:34.588Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"url": "https://support.lenovo.com/us/en/product_security/LEN-127357"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the firmware version (or newer) indicated for your model in the Lenovo Product Security:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.lenovo.com/us/en/product_security/LEN-127357\"\u003ehttps://support.lenovo.com/us/en/product_security/LEN-127357\u003c/a\u003e"
}
],
"value": "Upgrade to the firmware version (or newer) indicated for your model in the Lenovo Product Security:\u00a0 https://support.lenovo.com/us/en/product_security/LEN-127357"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2023-2992",
"datePublished": "2023-06-26T19:44:40.121Z",
"dateReserved": "2023-05-30T16:27:48.220Z",
"dateUpdated": "2024-09-16T14:51:34.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
An application must make resources available to a client commensurate with the client's access level.
Mitigation
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Mitigation
Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
No CAPEC attack patterns related to this CWE.