CVE-2024-52797
Vulnerability from cvelistv5
Published
2024-11-21 01:30
Modified
2024-11-22 15:19
Severity ?
EPSS score ?
Summary
Searching Opencast may cause a denial of service
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-22T15:19:09.686374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T15:19:24.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opencast",
"vendor": "opencast",
"versions": [
{
"status": "affected",
"version": "\u003e= 11.4, \u003c 13.10"
},
{
"status": "affected",
"version": "\u003e= 14.0, \u003c 14.3"
},
{
"status": "affected",
"version": "\u003e= 15.0, \u003c= 16.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Opencast is free and open source software for automated video capture and distribution. First noticed in Opencast 13 and 14, Opencast\u0027s Elasticsearch integration may generate syntactically invalid Elasticsearch queries in relation to previously acceptable search queries. From Opencast version 11.4 and newer, Elasticsearch queries are retried a configurable number of times in the case of error to handle temporary losses of connection to Elasticsearch. These invalid queries would fail, causing the retry mechanism to begin requerying with the same syntactically invalid query immediately, in an infinite loop. This causes a massive increase in log size which can in some cases cause a denial of service due to disk exhaustion.\n\nOpencast 13.10 and Opencast 14.3 contain patches which address the base issue, with Opencast 16.7 containing changes which harmonize the search behaviour between the admin UI and external API. Users are strongly recommended to upgrade as soon as possible if running versions prior to 13.10 or 14.3. While the relevant endpoints require (by default) `ROLE_ADMIN` or `ROLE_API_SERIES_VIEW`, the problem queries are otherwise innocuous. This issue could be easily triggered by normal administrative work on an affected Opencast system. Those who run a version newer than 13.10 and 14.3 and see different results when searching in their admin UI vs your external API or LMS, may resolve the issue by upgrading to 16.7. No known workarounds for the vulnerability are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T01:30:07.811Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opencast/opencast/security/advisories/GHSA-jh6x-7xfg-9cq2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-jh6x-7xfg-9cq2"
},
{
"name": "https://github.com/opencast/opencast/pull/5033",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencast/opencast/pull/5033"
},
{
"name": "https://github.com/opencast/opencast/pull/5150",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencast/opencast/pull/5150"
}
],
"source": {
"advisory": "GHSA-jh6x-7xfg-9cq2",
"discovery": "UNKNOWN"
},
"title": "Searching Opencast may cause a denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52797",
"datePublished": "2024-11-21T01:30:07.811Z",
"dateReserved": "2024-11-15T17:11:13.439Z",
"dateUpdated": "2024-11-22T15:19:24.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-52797\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-21T11:15:35.480\",\"lastModified\":\"2024-11-21T13:57:24.187\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Opencast is free and open source software for automated video capture and distribution. First noticed in Opencast 13 and 14, Opencast\u0027s Elasticsearch integration may generate syntactically invalid Elasticsearch queries in relation to previously acceptable search queries. From Opencast version 11.4 and newer, Elasticsearch queries are retried a configurable number of times in the case of error to handle temporary losses of connection to Elasticsearch. These invalid queries would fail, causing the retry mechanism to begin requerying with the same syntactically invalid query immediately, in an infinite loop. This causes a massive increase in log size which can in some cases cause a denial of service due to disk exhaustion.\\n\\nOpencast 13.10 and Opencast 14.3 contain patches which address the base issue, with Opencast 16.7 containing changes which harmonize the search behaviour between the admin UI and external API. Users are strongly recommended to upgrade as soon as possible if running versions prior to 13.10 or 14.3. While the relevant endpoints require (by default) `ROLE_ADMIN` or `ROLE_API_SERIES_VIEW`, the problem queries are otherwise innocuous. This issue could be easily triggered by normal administrative work on an affected Opencast system. Those who run a version newer than 13.10 and 14.3 and see different results when searching in their admin UI vs your external API or LMS, may resolve the issue by upgrading to 16.7. No known workarounds for the vulnerability are available.\"},{\"lang\":\"es\",\"value\":\"Opencast es un software libre y de c\u00f3digo abierto para la captura y distribuci\u00f3n automatizada de videos. La integraci\u00f3n de Elasticsearch de Opencast, que se detect\u00f3 por primera vez en Opencast 13 y 14, puede generar consultas de Elasticsearch sint\u00e1cticamente no v\u00e1lidas en relaci\u00f3n con consultas de b\u00fasqueda aceptables anteriormente. A partir de la versi\u00f3n 11.4 de Opencast y posteriores, las consultas de Elasticsearch se vuelven a intentar una cantidad configurable de veces en caso de error para manejar p\u00e9rdidas temporales de conexi\u00f3n con Elasticsearch. Estas consultas no v\u00e1lidas fallar\u00edan, lo que provocar\u00eda que el mecanismo de reintento comenzara a realizar consultas nuevamente con la misma consulta sint\u00e1cticamente no v\u00e1lida de inmediato, en un bucle infinito. Esto provoca un aumento masivo en el tama\u00f1o del registro que, en algunos casos, puede causar una denegaci\u00f3n de servicio debido al agotamiento del disco. Opencast 13.10 y Opencast 14.3 contienen parches que solucionan el problema de base, y Opencast 16.7 contiene cambios que armonizan el comportamiento de b\u00fasqueda entre la interfaz de usuario de administraci\u00f3n y la API externa. Se recomienda encarecidamente a los usuarios que actualicen lo antes posible si ejecutan versiones anteriores a 13.10 o 14.3. Si bien los endpoints relevantes requieren (de manera predeterminada) `ROLE_ADMIN` o `ROLE_API_SERIES_VIEW`, las consultas problem\u00e1ticas son inofensivas. Este problema podr\u00eda desencadenarse f\u00e1cilmente mediante el trabajo administrativo normal en un sistema Opencast afectado. Aquellos que ejecutan una versi\u00f3n m\u00e1s reciente que 13.10 y 14.3 y ven resultados diferentes al buscar en su interfaz de usuario de administraci\u00f3n en comparaci\u00f3n con su API externa o LMS, pueden resolver el problema actualizando a 16.7. No se workarounds para la vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/opencast/opencast/pull/5033\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/opencast/opencast/pull/5150\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/opencast/opencast/security/advisories/GHSA-jh6x-7xfg-9cq2\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.