cnvd - cnvd-2024-24943

CNVD-2024-24943

Vulnerability from cnvd - Published: 2024-05-29

Title

XAMPP资源管理错误漏洞

Description

XAMPP是一个易于安装的Apache发行版，包含MariaDB、PHP和Perl。该产品主要用于构建网页服务器。 XAMPP 7.3.2及之前版本存在资源管理错误漏洞，该漏洞源于未对输入的错误消息做正确的处理，攻击者可利用该漏洞造成应用拒绝服务。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.incibe.es/en/incibe-cert/notices/aviso/vulnerability-uncontrolled-resource-consumption-xampp

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-5055

Impacted products

Name
XAMPP XAMPP <=7.3.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-5055",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-5055"
    }
  },
  "description": "XAMPP\u662f\u4e00\u4e2a\u6613\u4e8e\u5b89\u88c5\u7684Apache\u53d1\u884c\u7248\uff0c\u5305\u542bMariaDB\u3001PHP\u548cPerl\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u7f51\u9875\u670d\u52a1\u5668\u3002\n\nXAMPP 7.3.2\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u5bf9\u8f93\u5165\u7684\u9519\u8bef\u6d88\u606f\u505a\u6b63\u786e\u7684\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u5e94\u7528\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.incibe.es/en/incibe-cert/notices/aviso/vulnerability-uncontrolled-resource-consumption-xampp",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-24943",
  "openTime": "2024-05-29",
  "products": {
    "product": "XAMPP XAMPP \u003c=7.3.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-5055",
  "serverity": "\u9ad8",
  "submitTime": "2024-05-22",
  "title": "XAMPP\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2024-5055 (GCVE-0-2024-5055)

Vulnerability from cvelistv5 – Published: 2024-05-17 12:03 – Updated: 2024-08-01 21:03

Summary

Uncontrolled resource consumption vulnerability in XAMPP Windows, versions 7.3.2 and earlier. This vulnerability exists when XAMPP attempts to process many incomplete HTTP requests, resulting in resource consumption and system crashes.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

INCIBE

References

URL

Tags

https://www.incibe.es/en/incibe-cert/notices/avis…

Impacted products

	Vendor	Product	Version
	Apache Friends	XAMPP	Affected: 7.3.2

Credits

Rafael Pedrero

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apachefriends:xampp:7.3.2:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "xampp",
            "vendor": "apachefriends",
            "versions": [
              {
                "status": "affected",
                "version": "7.3.2"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5055",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-17T14:31:23.280141Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T18:01:56.403Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:03:10.356Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/vulnerability-uncontrolled-resource-consumption-xampp"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "XAMPP",
          "vendor": "Apache Friends",
          "versions": [
            {
              "status": "affected",
              "version": "7.3.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rafael Pedrero"
        }
      ],
      "datePublic": "2024-05-17T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Uncontrolled resource consumption vulnerability in XAMPP Windows, versions 7.3.2 and earlier. This vulnerability exists when XAMPP attempts to process many incomplete HTTP requests, resulting in resource consumption and system crashes."
            }
          ],
          "value": "Uncontrolled resource consumption vulnerability in XAMPP Windows, versions 7.3.2 and earlier. This vulnerability exists when XAMPP attempts to process many incomplete HTTP requests, resulting in resource consumption and system crashes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-17T12:03:19.748Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/vulnerability-uncontrolled-resource-consumption-xampp"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Vulnerability of uncontrolled resource consumption in XAMPP",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2024-5055",
    "datePublished": "2024-05-17T12:03:19.748Z",
    "dateReserved": "2024-05-17T09:45:56.213Z",
    "dateUpdated": "2024-08-01T21:03:10.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-24943

CVE-2024-5055 (GCVE-0-2024-5055)

Tags

Sightings

Nomenclature