CVE-2024-34695 (GCVE-0-2024-34695)
Vulnerability from cvelistv5 – Published: 2024-05-10 15:57 – Updated: 2024-08-02 02:59
VLAI
Title
WOWS Karma vulnerable to a post submission bounce/timing attack
Summary
WOWS Karma is a reputation system for Wargaming's World of Warships. A user is able to click multiple times on "create" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user's metrics more than once, due to concurrent karma updates. This issue is fixed in 0.17.4.1.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-799 - Improper Control of Interaction Frequency
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/SakuraIsayeki/WOWS-Karma/secur… | x_refsource_CONFIRM |
| https://github.com/SakuraIsayeki/WOWS-Karma/commi… | x_refsource_MISC |
| https://github.com/SakuraIsayeki/WOWS-Karma/commi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SakuraIsayeki | WOWS-Karma |
Affected:
<= 0.17.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T16:10:44.417474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T16:10:53.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g"
},
{
"name": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a"
},
{
"name": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WOWS-Karma",
"vendor": "SakuraIsayeki",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.17.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WOWS Karma is a reputation system for Wargaming\u0027s World of Warships. A user is able to click multiple times on \"create\" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user\u0027s metrics more than once, due to concurrent karma updates. This issue is fixed in 0.17.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-799",
"description": "CWE-799: Improper Control of Interaction Frequency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-10T15:57:03.049Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g"
},
{
"name": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a"
},
{
"name": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2"
}
],
"source": {
"advisory": "GHSA-v6cc-v976-mj8g",
"discovery": "UNKNOWN"
},
"title": "WOWS Karma vulnerable to a post submission bounce/timing attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34695",
"datePublished": "2024-05-10T15:57:03.049Z",
"dateReserved": "2024-05-07T13:53:00.131Z",
"dateUpdated": "2024-08-02T02:59:22.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-34695",
"date": "2026-06-10",
"epss": "0.00392",
"percentile": "0.6062"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"WOWS Karma is a reputation system for Wargaming\u0027s World of Warships. A user is able to click multiple times on \\\"create\\\" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user\u0027s metrics more than once, due to concurrent karma updates. This issue is fixed in 0.17.4.1.\"}, {\"lang\": \"es\", \"value\": \"WOWS Karma es un sistema de reputaci\\u00f3n para World of Warships de Wargaming. Un usuario puede hacer clic varias veces en \\\"crear\\\" en un mensaje de creaci\\u00f3n de publicaciones antes de que se cierre el modo, lo que desencadena el env\\u00edo de varias solicitudes API de creaci\\u00f3n de publicaciones a la vez. Debido al tiempo, el env\\u00edo de solicitudes de publicaciones m\\u00faltiples simult\\u00e1neamente omite la validaci\\u00f3n del tiempo de reutilizaci\\u00f3n; sin embargo, no se actualizan las m\\u00e9tricas de un usuario m\\u00e1s de una vez, debido a las actualizaciones de karma simult\\u00e1neas. Este problema se solucion\\u00f3 en 0.17.4.1.\"}]",
"id": "CVE-2024-34695",
"lastModified": "2024-11-21T09:19:12.883",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 4.2}]}",
"published": "2024-05-14T15:39:26.783",
"references": "[{\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-799\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-34695\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-14T15:39:26.783\",\"lastModified\":\"2024-11-21T09:19:12.883\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WOWS Karma is a reputation system for Wargaming\u0027s World of Warships. A user is able to click multiple times on \\\"create\\\" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user\u0027s metrics more than once, due to concurrent karma updates. This issue is fixed in 0.17.4.1.\"},{\"lang\":\"es\",\"value\":\"WOWS Karma es un sistema de reputaci\u00f3n para World of Warships de Wargaming. Un usuario puede hacer clic varias veces en \\\"crear\\\" en un mensaje de creaci\u00f3n de publicaciones antes de que se cierre el modo, lo que desencadena el env\u00edo de varias solicitudes API de creaci\u00f3n de publicaciones a la vez. Debido al tiempo, el env\u00edo de solicitudes de publicaciones m\u00faltiples simult\u00e1neamente omite la validaci\u00f3n del tiempo de reutilizaci\u00f3n; sin embargo, no se actualizan las m\u00e9tricas de un usuario m\u00e1s de una vez, debido a las actualizaciones de karma simult\u00e1neas. Este problema se solucion\u00f3 en 0.17.4.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-799\"}]}],\"references\":[{\"url\":\"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\", \"name\": \"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\", \"name\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\", \"name\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:59:22.237Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34695\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-05T16:10:44.417474Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-05T16:10:48.656Z\"}}], \"cna\": {\"title\": \"WOWS Karma vulnerable to a post submission bounce/timing attack\", \"source\": {\"advisory\": \"GHSA-v6cc-v976-mj8g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"SakuraIsayeki\", \"product\": \"WOWS-Karma\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 0.17.4\"}]}], \"references\": [{\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\", \"name\": \"https://github.com/SakuraIsayeki/WOWS-Karma/security/advisories/GHSA-v6cc-v976-mj8g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\", \"name\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/3210b516fa3551e30fe760c915f7656d9046e69a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\", \"name\": \"https://github.com/SakuraIsayeki/WOWS-Karma/commit/6cb825976f28c68d79172aeda00e955bf5853de2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WOWS Karma is a reputation system for Wargaming\u0027s World of Warships. A user is able to click multiple times on \\\"create\\\" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user\u0027s metrics more than once, due to concurrent karma updates. This issue is fixed in 0.17.4.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-799\", \"description\": \"CWE-799: Improper Control of Interaction Frequency\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-10T15:57:03.049Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-34695\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:59:22.237Z\", \"dateReserved\": \"2024-05-07T13:53:00.131Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-10T15:57:03.049Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…