Back

CVE-2024-8939

Sept. 17, 2024, 5:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

ilab model serve component

Source

secalert@redhat.com

Tags

secalert@redhat.com
CWE-400
2024-09-17
CVE-2024-8939

CVE-2024-8939 details

Published : Sept. 17, 2024, 5:15 p.m.
Last Modified : Sept. 17, 2024, 5:15 p.m.

Description

A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.

CVSS Score

1 2 3 4 5 6.2 7 8 9 10

Weakness

Weakness Name Description
CWE-400 Uncontrolled Resource Consumption The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVSS Data

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

6.2

Exploitability Score

2.5

Impact Score

3.6

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

URL Source
https://access.redhat.com/security/cve/CVE-2024-8939 secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2312782 secalert@redhat.com
This website uses the NVD API, but is not approved or certified by it.