GHSA-JJ6M-R8JC-2GP7

Vulnerability from github – Published: 2021-06-23 18:03 – Updated: 2022-10-25 20:24
VLAI?
Summary
Asymmetric Resource Consumption (Amplification) in Docker containers created by Wings
Details

Impact

All versions of Pterodactyl Wings preior to 1.4.4 are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on the same hardware, eventually causing the physical server to stop responding.

Patches

Users should upgrade to 1.4.4.

Workarounds

There is no non-code based workaround for impacted versions of the software. Users running customized versions of this software can manually set a PID limit for containers created.

For more information

If you have any questions or comments about this advisory: * Contact us on Discord * Email us at dane ät pterodactyl dot io

Severity ?
6.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pterodactyl/wings"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-405",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-22T15:43:57Z",
    "nvd_published_at": "2021-06-22T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAll versions of Pterodactyl Wings preior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on the same hardware, eventually causing the physical server to stop responding.\n\n### Patches\nUsers should upgrade to `1.4.4`.\n\n### Workarounds\nThere is no non-code based workaround for impacted versions of the software. Users running customized versions of this software can manually set a PID limit for containers created.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact us on [Discord](https://discord.gg/pterodactyl)\n* Email us at `dane \u00e4t pterodactyl dot io`",
  "id": "GHSA-jj6m-r8jc-2gp7",
  "modified": "2022-10-25T20:24:52Z",
  "published": "2021-06-23T18:03:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-jj6m-r8jc-2gp7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32699"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/wings/commit/e0078eee0a71d61573a94c75e6efcad069d78de3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/wings"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Asymmetric Resource Consumption (Amplification) in Docker containers created by Wings "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.