Vulnerabilites related to litestar - litestar
Vulnerability from fkie_nvd
Published
2024-11-20 21:15
Modified
2024-11-25 14:15
Severity ?
Summary
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:litestar:litestar:*:*:*:*:*:*:*:*",
"matchCriteriaId": "51E468EE-A2F5-400C-933E-CF680AB26EA3",
"versionEndExcluding": "2.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0."
},
{
"lang": "es",
"value": "Litestar es un framework de interfaz de puerta de enlace de servidor asincr\u00f3nico (ASGI). Antes de la versi\u00f3n 2.13.0, el analizador de formularios multiparte que se incluye con litestar espera que todo el cuerpo de la solicitud sea una cadena de un solo byte y no hay un l\u00edmite predeterminado para el tama\u00f1o total del cuerpo de la solicitud. Esto permite que un atacante cargue archivos arbitrarios de gran tama\u00f1o envueltos en una solicitud `multipart/form-data` y provoque un consumo excesivo de memoria en el servidor. El analizador de formularios multiparte en las versiones afectadas es vulnerable a este tipo de ataque por dise\u00f1o. La firma del m\u00e9todo p\u00fablico, as\u00ed como su implementaci\u00f3n, esperan que todo el cuerpo de la solicitud est\u00e9 disponible como una cadena de un solo byte. No es posible aceptar cargas de archivos grandes de forma segura utilizando este analizador. Esto puede ser una regresi\u00f3n, ya que ya se inform\u00f3 de una variaci\u00f3n de este problema en CVE-2023-25578. Limitar el n\u00famero de partes no es suficiente para evitar errores de falta de memoria en el servidor. Hay un parche disponible en la versi\u00f3n 2.13.0."
}
],
"id": "CVE-2024-52581",
"lastModified": "2024-11-25T14:15:07.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"automatable": "NOT_DEFINED",
"availabilityRequirements": "NOT_DEFINED",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityRequirements": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirements": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubsequentSystemAvailability": "NOT_DEFINED",
"modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
"modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnerableSystemAvailability": "NOT_DEFINED",
"modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
"modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"recovery": "NOT_DEFINED",
"safety": "NOT_DEFINED",
"subsequentSystemAvailability": "LOW",
"subsequentSystemConfidentiality": "NONE",
"subsequentSystemIntegrity": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"vulnerableSystemAvailability": "HIGH",
"vulnerableSystemConfidentiality": "NONE",
"vulnerableSystemIntegrity": "NONE"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-11-20T21:15:08.320",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
cve-2024-52581
Vulnerability from cvelistv5
Published
2024-11-20 20:50
Modified
2024-11-25 13:46
Severity ?
EPSS score ?
Summary
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| litestar-org | litestar |
Version: < 2.13.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:litestar-org:litestar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "litestar",
"vendor": "litestar-org",
"versions": [
{
"lessThan": "2.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52581",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:05:15.626887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:38:42.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "litestar",
"vendor": "litestar-org",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to upload arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on the server. The multipart form parser in affected versions is vulnerable to this type of attack by design. The public method signature as well as its implementation both expect the entire request body to be available as a single byte string. It is not possible to accept large file uploads in a safe way using this parser. This may be a regression, as a variation of this issue was already reported in CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server. A patch is available in version 2.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-25T13:46:28.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-gjcc-jvgw-wvwj"
},
{
"name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-p24m-863f-fm6q"
},
{
"name": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/commit/53c1473b5ff7502816a9a339ffc90731bb0c2138"
},
{
"name": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/litestar-org/litestar/blob/main/litestar/_multipart.py#L97"
}
],
"source": {
"advisory": "GHSA-gjcc-jvgw-wvwj",
"discovery": "UNKNOWN"
},
"title": "Litestar allows unbounded resource consumption (DoS vulnerability)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52581",
"datePublished": "2024-11-20T20:50:19.679Z",
"dateReserved": "2024-11-14T15:05:46.765Z",
"dateUpdated": "2024-11-25T13:46:28.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}