CVE-2024-45412

Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (℀), or U+2105 (℅) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11.
Configurations

Configuration 1 (hide)

cpe:2.3:a:yeti-platform:yeti:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:37

Type Values Removed Values Added
Summary (en) Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (?), or U+2105 (?) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11. (en) Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (℀), or U+2105 (℅) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11.
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 5.3

20 Sep 2024, 16:32

Type Values Removed Values Added
CPE cpe:2.3:a:yeti-platform:yeti:*:*:*:*:*:*:*:*
Summary
  • (es) Yeti cierra la brecha entre los profesionales de CTI y DFIR al proporcionar una plataforma y un canal de inteligencia forense. Las etiquetas de datos controladas por el usuario remoto pueden alcanzar una normalización Unicode con un formato de compatibilidad NFKD. En Windows, dicha normalización es costosa en recursos y puede provocar una denegación de servicio con ataques como One Million Unicode payload. Esto puede empeorar con el uso de caracteres Unicode especiales como U+2100 (?) o U+2105 (?) que podrían hacer que el tamaño del payload se triplique. Las versiones anteriores a 2.1.11 se ven afectadas por esta vulnerabilidad. El parche está incluido en 2.1.11.
References () https://github.com/yeti-platform/yeti/commit/f1f0082e7c165f148ae95f4deeb2786404797a39 - () https://github.com/yeti-platform/yeti/commit/f1f0082e7c165f148ae95f4deeb2786404797a39 - Patch
References () https://github.com/yeti-platform/yeti/security/advisories/GHSA-cwwm-pq9x-2cxv - () https://github.com/yeti-platform/yeti/security/advisories/GHSA-cwwm-pq9x-2cxv - Vendor Advisory
References () https://hackerone.com/reports/2258758 - () https://hackerone.com/reports/2258758 - Exploit, Issue Tracking, Third Party Advisory
First Time Yeti-platform
Yeti-platform yeti
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 7.5

10 Sep 2024, 17:43

Type Values Removed Values Added
Summary (en) Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (℀), or U+2105 (℅) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11. (en) Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (?), or U+2105 (?) which could lead the payload size to be tripled. Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11.

10 Sep 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-10 16:15

Updated : 2024-11-21 09:37


NVD link : CVE-2024-45412

Mitre link : CVE-2024-45412

CVE.ORG link : CVE-2024-45412


JSON object : View

Products Affected

yeti-platform

  • yeti
CWE
CWE-770

Allocation of Resources Without Limits or Throttling