CVE-2024-9953

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-9953
A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity Patch
Configurations

Configuration 1 (hide)

cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*
History

17 Oct 2024, 20:59

Type Values Removed Values Added
References () https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity - () https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity - Patch
CPE cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*
First Time Cert vince
Cert
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.9

15 Oct 2024, 15:15

Type Values Removed Values Added
Summary (en) A Potential DOS Vulnerability exists in CERT VINCE software prior to version 3.0.8. An authenticated administrative user can inject an arbitrary pickle object as part of a user's profile. This can lead to a potential DoS on the server when the user's profile is accessed. Django server does restrict unpickling from crashing the server. (en) A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de denegación de servicio potencial en el software CERT VINCE anterior a la versión 3.0.8. Un usuario administrativo autenticado puede inyectar un objeto pickle arbitrario como parte del perfil de un usuario. Esto puede provocar una posible denegación de servicio en el servidor cuando se accede al perfil del usuario. El servidor Django impide que la desinstalación del pickle haga que el servidor se bloquee.

14 Oct 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-14 22:15

Updated : 2024-10-17 20:59

NVD link : CVE-2024-9953

Mitre link : CVE-2024-9953

CVE.ORG link : CVE-2024-9953

JSON object : View

Products Affected

cert

  • vince
CWE
CWE-502

Deserialization of Untrusted Data