Vulnerability-Lookup

CVE-2024-52581 (GCVE-0-2024-52581)

Vulnerability from cvelistv5 – Published: 2024-11-20 20:50 – Updated: 2024-11-25 13:46

Title

Litestar allows unbounded resource consumption (DoS vulnerability)

Summary

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

	https://github.com/litestar-org/litestar/security…	x_refsource_CONFIRM
	https://github.com/litestar-org/litestar/security…	x_refsource_MISC
	https://github.com/litestar-org/litestar/commit/5…	x_refsource_MISC
	https://github.com/litestar-org/litestar/blob/mai…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	litestar-org	litestar	Affected: < 2.13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:litestar-org:litestar:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "litestar",
            "vendor": "litestar-org",
            "versions": [
              {
                "lessThan": "2.13.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52581",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-21T14:05:15.626887Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-21T14:38:42.858Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litestar",
          "vendor": "litestar-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-25T13:46:28.592Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
        },
        {
          "name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q"
        },
        {
          "name": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138"
        },
        {
          "name": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97"
        }
      ],
      "source": {
        "advisory": "GHSA-gjcc-jvgw-wvwj",
        "discovery": "UNKNOWN"
      },
      "title": "Litestar allows unbounded resource consumption (DoS vulnerability)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52581",
    "datePublished": "2024-11-20T20:50:19.679Z",
    "dateReserved": "2024-11-14T15:05:46.765Z",
    "dateUpdated": "2024-11-25T13:46:28.592Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52581\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-21T14:05:15.626887Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:litestar-org:litestar:*:*:*:*:*:*:*:*\"], \"vendor\": \"litestar-org\", \"product\": \"litestar\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.13.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-21T14:04:36.521Z\"}}], \"cna\": {\"title\": \"Litestar allows unbounded resource consumption (DoS vulnerability)\", \"source\": {\"advisory\": \"GHSA-gjcc-jvgw-wvwj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"litestar-org\", \"product\": \"litestar\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.13.0\"}]}], \"references\": [{\"url\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj\", \"name\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q\", \"name\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138\", \"name\": \"https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97\", \"name\": \"https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-25T13:46:28.592Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52581\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-25T13:46:28.592Z\", \"dateReserved\": \"2024-11-14T15:05:46.765Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-20T20:50:19.679Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-GJCC-JVGW-WVWJ

Vulnerability from github – Published: 2024-11-20 21:38 – Updated: 2025-01-21 18:12

Summary

Litestar allows unbounded resource consumption (DoS vulnerability)

Details

Summary

Litestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parsers to map request content to structured data types. Multiple of those parsers do not have size limits when reading the request body into memory, which allows an attacker to cause excessive memory consumption on the server by sending large requests.

Details

The Request methods to parse json, msgpack or form-data all read the entire request stream into memory via await self.body() without a prior size check or size limit. There may be other places (e.g. extractors) where this can happen.

For most formats, a configurable size limit would be sufficient to mitigate this issue. The total request size can also be limited by a proxy (e.g. nginx) in front of the actual application as a workaround. However, for applications that actually want to accept large file uploads via multipart/form-data, a simple size limit would not be practical. The multipart parser currently used by Litestar expects a single byte string as input and does not support incremental parsing via Request.stream(). Applications could bypass the Litestar parser and use a streaming parser to read from Request.stream() instead, but that would not work with extractors and other features of the framework. Switching the parser for a different implementation is currently not possible via public APIs.

PoC

Start an applications that accesses Request.json(), Request.msgpack() or Request.form() or uses an extractor that relies on those parsers internally, and send a large request with a matching content type. The actual content of the request does not matter. For example: `curl -F "foo=

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "starlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.51.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-20T21:38:58Z",
    "nvd_published_at": "2024-11-20T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nLitestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parsers to map request content to structured data types. Multiple of those parsers do not have size limits when reading the request body into memory, which allows an attacker to cause excessive memory consumption on the server by sending large requests.\n\n### Details\nThe `Request` methods to parse json, msgpack or form-data all read the entire request stream into memory via `await self.body()` without a prior size check or size limit. There may be other places (e.g. extractors) where this can happen.\n\nFor most formats, a configurable size limit would be sufficient to mitigate this issue. The total request size can also be limited by a proxy (e.g. nginx) in front of the actual application as a workaround. However, for applications that actually want to accept large file uploads via `multipart/form-data`, a simple size limit would not be practical. The multipart parser currently used by Litestar expects a single byte string as input and does not support incremental parsing via `Request.stream()`. Applications could bypass the Litestar parser and use a [streaming parser](https://pypi.org/project/multipart/) to read from `Request.stream()` instead, but that would not work with extractors and other features of the framework. Switching the parser for a different implementation is currently not possible via public APIs.\n\n### PoC\nStart an applications that accesses `Request.json()`, `Request.msgpack()` or `Request.form()` or uses an extractor that relies on those parsers internally, and send a large request with a matching content type. The actual content of the request does not matter. For example: `curl -F \"foo=\u003c/dev/random\" http://127.0.0.1:8000/`) for `multipart/form-data`. Server memory consumption will increase very quickly until memory (and swap) are exhausted.\n\n### Impact\nThis is a denial of service (DoS) vulnerability affecting all Litestar applications that process json, msgpack or form-data submission requests.\n",
  "id": "GHSA-gjcc-jvgw-wvwj",
  "modified": "2025-01-21T18:12:08Z",
  "published": "2024-11-20T21:38:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52581"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/litestar-org/litestar"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/litestar/PYSEC-2024-178.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Litestar allows unbounded resource consumption (DoS vulnerability) "
}

PYSEC-2024-178

Vulnerability from pysec - Published: 2024-11-20 21:15 - Updated: 2025-01-19 01:52

Details

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a multipart/form-data request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impacted products

Name	purl
litestar	pkg:pypi/litestar

Aliases

CVE-2024-52581

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar",
        "purl": "pkg:pypi/litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "53c1473b5ff7502816a9a339ffc90731bb0c2138"
            }
          ],
          "repo": "https://github.com/litestar-org/litestar",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.0a0",
        "2.0.0",
        "2.0.0a3",
        "2.0.0a4",
        "2.0.0a5",
        "2.0.0a6",
        "2.0.0a7",
        "2.0.0b1",
        "2.0.0b2",
        "2.0.0b3",
        "2.0.0b4",
        "2.0.0rc1",
        "2.0.1",
        "2.1.0",
        "2.1.1",
        "2.10.0",
        "2.11.0",
        "2.12.0",
        "2.12.1",
        "2.2.0",
        "2.2.1",
        "2.3.0",
        "2.3.1",
        "2.3.2",
        "2.4.0",
        "2.4.1",
        "2.4.2",
        "2.4.3",
        "2.4.4",
        "2.4.5",
        "2.5.0",
        "2.5.1",
        "2.5.2",
        "2.5.3",
        "2.5.4",
        "2.5.5",
        "2.6.0",
        "2.6.1",
        "2.6.2",
        "2.6.3",
        "2.6.4",
        "2.7.0",
        "2.7.1",
        "2.7.2",
        "2.8.0",
        "2.8.1",
        "2.8.2",
        "2.8.3",
        "2.9.0",
        "2.9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52581"
  ],
  "details": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.",
  "id": "PYSEC-2024-178",
  "modified": "2025-01-19T01:52:23.772726+00:00",
  "published": "2024-11-20T21:15:08+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
    },
    {
      "type": "FIX",
      "url": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97"
    }
  ],
  "related": [
    "GHSA-gjcc-jvgw-wvwj",
    "GHSA-p24m-863f-fm6q"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2024-52581

Vulnerability from fkie_nvd - Published: 2024-11-20 21:15 - Updated: 2024-11-25 14:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97	Product
security-advisories@github.com	https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138	Patch
security-advisories@github.com	https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj	Exploit, Vendor Advisory
security-advisories@github.com	https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q

Impacted products

	Vendor	Product	Version
	litestar	litestar	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "51E468EE-A2F5-400C-933E-CF680AB26EA3",
              "versionEndExcluding": "2.13.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0."
    },
    {
      "lang": "es",
      "value": "Litestar es un framework de interfaz de puerta de enlace de servidor asincr\u00f3nico (ASGI). Antes de la versi\u00f3n 2.13.0, el analizador de formularios multiparte que se incluye con litestar espera que todo el cuerpo de la solicitud sea una cadena de un solo byte y no hay un l\u00edmite predeterminado para el tama\u00f1o total del cuerpo de la solicitud. Esto permite que un atacante cargue archivos arbitrarios de gran tama\u00f1o envueltos en una solicitud `multipart/form-data` y provoque un consumo excesivo de memoria en el servidor. El analizador de formularios multiparte en las versiones afectadas es vulnerable a este tipo de ataque por dise\u00f1o. La firma del m\u00e9todo p\u00fablico, as\u00ed como su implementaci\u00f3n, esperan que todo el cuerpo de la solicitud est\u00e9 disponible como una cadena de un solo byte. No es posible aceptar cargas de archivos grandes de forma segura utilizando este analizador. Esto puede ser una regresi\u00f3n, ya que ya se inform\u00f3 de una variaci\u00f3n de este problema en CVE-2023-25578. Limitar el n\u00famero de partes no es suficiente para evitar errores de falta de memoria en el servidor. Hay un parche disponible en la versi\u00f3n 2.13.0."
    }
  ],
  "id": "CVE-2024-52581",
  "lastModified": "2024-11-25T14:15:07.077",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-20T21:15:08.320",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-52581 (GCVE-0-2024-52581)

GHSA-GJCC-JVGW-WVWJ

Summary

Details

PoC

PYSEC-2024-178

FKIE_CVE-2024-52581

Tags

Sightings

Nomenclature