CVE-2024-9056

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-9056

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

B

entoML version v1.3.4post1 is vulnerable to a Denial of Service (DoS) attack. The vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. This causes the server to continuously process each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

References
Link Resource
https://huntr.com/bounties/a24a13c2-0300-4a95-b26a-ac7fe8f6521b
Configurations

No configuration.

History

15 Oct 2025, 13:15

Type Values Removed Values Added
Summary
  • (es) La versión v1.3.4post1 de BentoML es vulnerable a un ataque de denegación de servicio (DoS). Esta vulnerabilidad se puede explotar añadiendo caracteres, como guiones (-), al final de un límite multiparte en una solicitud HTTP. Esto provoca que el servidor procese continuamente cada carácter, lo que genera un consumo excesivo de recursos y deja el servicio indisponible. El problema no requiere autenticación y no requiere la interacción del usuario, lo que afecta a todos los usuarios del servicio.
CWE CWE-400 CWE-770

20 Mar 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-9056

Mitre link : CVE-2024-9056

CVE.ORG link : CVE-2024-9056

JSON object : View

Products Affected

No product.

CWE
CWE-770

Allocation of Resources Without Limits or Throttling