CVE-2024-31217

June 12, 2024, 3:15 p.m.

5.3
Medium

Description

Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the media upload process causing the server to crash without restarting, affecting either development and production environments. Usually, errors in the application cause it to log the error and keep it running for other clients. This behavior, in contrast, stops the server execution, making it unavailable for any clients until it's manually restarted. Any user with access to the file upload functionality is able to exploit this vulnerability, affecting applications running in both development mode and production mode as well. Users should upgrade @strapi/plugin-upload to version 4.22.0 to receive a patch.

Product(s) Impacted

Product Versions
Strapi
  • before 4.22.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/strapi/strapi/commit/a0da7e73e1496d835fe71a2febb14f70170135c7
https://github.com/strapi/strapi/security/advisories/GHSA-pm9q-xj9p-96pm

Tags

security-advisories@github.com
CWE-248
2024-06-12
CVE-2024-31217

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: June 12, 2024, 3:15 p.m.
Last Modified: June 12, 2024, 3:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.