CVE-2024-1930

May 8, 2024, 1:15 p.m.

6.5
Medium

Description

No Limit on Number of Open Sessions / Bad Session Close Behaviour in dnf5daemon-server before 5.1.17 allows a malicious user to impact Availability via No Limit on Number of Open Sessions. There is no limit on how many sessions D-Bus clients may create using the `open_session()` D-Bus method. For each session a thread is created in dnf5daemon-server. This spends a couple of hundred megabytes of memory in the process. Further connections will become impossible, likely because no more threads can be spawned by the D-Bus service.

Product(s) Impacted

Product Versions
dnf5daemon-server
  • ['before 5.1.17']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://www.openwall.com/lists/oss-security/2024/03/04/2

Tags

CWE-400
2024-05-08
patrick@puiterwijk.org
CVE-2024-1930

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

    View Vector String

Timeline

Published: May 8, 2024, 2:15 a.m.
Last Modified: May 8, 2024, 1:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

patrick@puiterwijk.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.