CVE-2024-8939 (GCVE-0-2024-8939)
Vulnerability from cvelistv5
Published
2024-09-17 16:21
Modified
2025-01-14 08:28
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS score ?
0.03% (0.07305)
Summary
A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-8939
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2312782
Impacted products
Vendor Product Version
Version: 0   < 0.5.0.post1
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux AI (RHEL AI)     cpe:/a:redhat:enterprise_linux_ai:1
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux AI (RHEL AI)     cpe:/a:redhat:enterprise_linux_ai:1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-8939",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-09-17T19:51:11.286179Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-17T19:51:22.039Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://github.com/vllm-project/vllm",
               defaultStatus: "unaffected",
               packageName: "vllm",
               versions: [
                  {
                     lessThan: "0.5.0.post1",
                     status: "affected",
                     version: "0",
                     versionType: "custom",
                  },
               ],
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:enterprise_linux_ai:1",
               ],
               defaultStatus: "affected",
               packageName: "rhelai1/bootc-nvidia-rhel9",
               product: "Red Hat Enterprise Linux AI (RHEL AI)",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:enterprise_linux_ai:1",
               ],
               defaultStatus: "affected",
               packageName: "rhelai1/instructlab-nvidia-rhel9",
               product: "Red Hat Enterprise Linux AI (RHEL AI)",
               vendor: "Red Hat",
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Red Hat would like to thank Thibault Guittet for reporting this issue.",
            },
         ],
         datePublic: "2024-09-17T00:00:00+00:00",
         descriptions: [
            {
               lang: "en",
               value: "A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     namespace: "https://access.redhat.com/security/updates/classification/",
                     value: "Moderate",
                  },
                  type: "Red Hat severity rating",
               },
            },
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "HIGH",
                  baseScore: 6.2,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               format: "CVSS",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-400",
                     description: "Uncontrolled Resource Consumption",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-01-14T08:28:57.142Z",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               tags: [
                  "vdb-entry",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/security/cve/CVE-2024-8939",
            },
            {
               name: "RHBZ#2312782",
               tags: [
                  "issue-tracking",
                  "x_refsource_REDHAT",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312782",
            },
         ],
         timeline: [
            {
               lang: "en",
               time: "2024-09-17T08:05:00.413000+00:00",
               value: "Reported to Red Hat.",
            },
            {
               lang: "en",
               time: "2024-09-17T00:00:00+00:00",
               value: "Made public.",
            },
         ],
         title: "Vllm: denials of service in vllm json web api",
         workarounds: [
            {
               lang: "en",
               value: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
            },
         ],
         x_redhatCweChain: "CWE-400: Uncontrolled Resource Consumption",
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2024-8939",
      datePublished: "2024-09-17T16:21:15.222Z",
      dateReserved: "2024-09-17T08:06:08.909Z",
      dateUpdated: "2025-01-14T08:28:57.142Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         descriptions: "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 una vulnerabilidad en el componente de servicio de modelos ilab, donde el manejo inadecuado del par\\u00e1metro best_of en la API web JSON vllm puede provocar una denegaci\\u00f3n de servicio (DoS). La API utilizada para completar oraciones o chats basados en LLM acepta un par\\u00e1metro best_of para devolver la mejor opci\\u00f3n de varias opciones. Cuando este par\\u00e1metro se establece en un valor alto, la API no maneja los tiempos de espera o el agotamiento de recursos de manera adecuada, lo que permite que un atacante provoque una denegaci\\u00f3n de servicio al consumir recursos excesivos del sistema. Esto hace que la API deje de responder, lo que impide que los usuarios leg\\u00edtimos accedan al servicio.\"}]",
         id: "CVE-2024-8939",
         lastModified: "2024-09-20T12:30:51.220",
         metrics: "{\"cvssMetricV31\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.2, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 3.6}]}",
         published: "2024-09-17T17:15:11.327",
         references: "[{\"url\": \"https://access.redhat.com/security/cve/CVE-2024-8939\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2312782\", \"source\": \"secalert@redhat.com\"}]",
         sourceIdentifier: "secalert@redhat.com",
         vulnStatus: "Awaiting Analysis",
         weaknesses: "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2024-8939\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2024-09-17T17:15:11.327\",\"lastModified\":\"2024-09-20T12:30:51.220\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.\"},{\"lang\":\"es\",\"value\":\"Se encontró una vulnerabilidad en el componente de servicio de modelos ilab, donde el manejo inadecuado del parámetro best_of en la API web JSON vllm puede provocar una denegación de servicio (DoS). La API utilizada para completar oraciones o chats basados en LLM acepta un parámetro best_of para devolver la mejor opción de varias opciones. Cuando este parámetro se establece en un valor alto, la API no maneja los tiempos de espera o el agotamiento de recursos de manera adecuada, lo que permite que un atacante provoque una denegación de servicio al consumir recursos excesivos del sistema. Esto hace que la API deje de responder, lo que impide que los usuarios legítimos accedan al servicio.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2024-8939\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2312782\",\"source\":\"secalert@redhat.com\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8939\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-17T19:51:11.286179Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-17T19:51:17.705Z\"}}], \"cna\": {\"title\": \"Vllm: denials of service in vllm json web api\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Thibault Guittet for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.5.0.post1\", \"versionType\": \"custom\"}], \"packageName\": \"vllm\", \"collectionURL\": \"https://github.com/vllm-project/vllm\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI)\", \"packageName\": \"rhelai1/bootc-nvidia-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux_ai:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux AI (RHEL AI)\", \"packageName\": \"rhelai1/instructlab-nvidia-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-09-17T08:05:00.413000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2024-09-17T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2024-09-17T00:00:00+00:00\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2024-8939\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2312782\", \"name\": \"RHBZ#2312782\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-01-14T08:28:57.142Z\"}, \"x_redhatCweChain\": \"CWE-400: Uncontrolled Resource Consumption\"}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-8939\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-14T08:28:57.142Z\", \"dateReserved\": \"2024-09-17T08:06:08.909Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2024-09-17T16:21:15.222Z\", \"assignerShortName\": \"redhat\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.