A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
References
Link | Resource |
---|---|
https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity | Patch |
Configurations
History
17 Oct 2024, 20:59
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity - Patch | |
CPE | cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:* | |
First Time |
Cert vince
Cert |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.9 |
15 Oct 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations. |
15 Oct 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
14 Oct 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-14 22:15
Updated : 2024-10-17 20:59
NVD link : CVE-2024-9953
Mitre link : CVE-2024-9953
CVE.ORG link : CVE-2024-9953
JSON object : View
Products Affected
cert
- vince
CWE
CWE-502
Deserialization of Untrusted Data