Today > vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-52581

Nov. 25, 2024, 2:15 p.m.

Tags

security-advisories@github.com
CWE-770
2024-11-20
CVE-2024-52581

CVSS Score

7.5 / 10

Products Impacted

Vendor Product Versions
litestar
  • litestar
  • *

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.

Weaknesses

CWE-770
Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

CWE ID: 770

Date

Published: Nov. 20, 2024, 9:15 p.m.

Last Modified: Nov. 25, 2024, 2:15 p.m.

Status : Modified

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a litestar litestar / / / / / / / /

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

Base Score
7.5
Exploitability Score
3.9
Impact Score
3.6
Base Severity
HIGH
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/ security-advisories@github.com
https://github.com/ security-advisories@github.com
https://github.com/ security-advisories@github.com
https://github.com/ security-advisories@github.com