CVE-2024-23826

Published Jan 29, 2024

Last updated 9 months ago

Overview

Description: spbu_se_site is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is due to no limitation of the length of the filename and the costly use of the Unicode normalization with the form NFKD on Windows OS. This vulnerability was fixed in the 2024.01.29 release.
Source: security-advisories@github.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.7
Impact score: 3.6
Exploitability score: 2.1
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-770
security-advisories@github.com: CWE-770

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:se.math.spbu:spbu_se_site:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1FF8CD3A-E3DF-4A93-BE6F-8057AD60ED84",
            "versionEndExcluding": "2024.01.29"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 3.1

Weaknesses

Configurations

References