CVE-2023-38505

DietPi-Dashboard is a web dashboard for the operating system DietPi. The dashboard only allows for one TLS handshake to be in process at a given moment. Once a TCP connection is established in HTTPS mode, it will assume that it should be waiting for a handshake, and will stay this way indefinitely until a handshake starts or some error occurs. In version 0.6.1, this can be exploited by simply not starting the handshake, preventing any other TLS handshakes from getting through. An attacker can lock the dashboard in a state where it is waiting for a TLS handshake from the attacker, who won't provide it. This prevents any legitimate traffic from getting to the dashboard, and can last indefinitely. Version 0.6.2 has a patch for this issue. As a workaround, do not use HTTPS mode on the open internet where anyone can connect. Instead, put a reverse proxy in front of the dashboard, and have it handle any HTTPS connections.
Configurations

Configuration 1 (hide)

cpe:2.3:a:dietpi-dashboard_project:dietpi-dashboard:0.6.1:*:*:*:*:rust:*:*

History

03 Aug 2023, 13:40

Type Values Removed Values Added
CWE CWE-412
CWE-410
CWE-667
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Dietpi-dashboard Project dietpi-dashboard
Dietpi-dashboard Project
CPE cpe:2.3:a:dietpi-dashboard_project:dietpi-dashboard:0.6.1:*:*:*:*:rust:*:*
References (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/pull/606 - (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/pull/606 - Issue Tracking, Patch
References (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/commit/79cd78615d28f577454415e4baafe4dcd9d09666 - (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/commit/79cd78615d28f577454415e4baafe4dcd9d09666 - Patch
References (MISC) https://asciinema.org/a/8nRKbdf7AkPLmP3QxFZUSmPwp?t=7 - (MISC) https://asciinema.org/a/8nRKbdf7AkPLmP3QxFZUSmPwp?t=7 - Exploit
References (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 - (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 - Vendor Advisory

27 Jul 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-27 19:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-38505

Mitre link : CVE-2023-38505

CVE.ORG link : CVE-2023-38505


JSON object : View

Products Affected

dietpi-dashboard_project

  • dietpi-dashboard
CWE
CWE-667

Improper Locking

CWE-410

Insufficient Resource Pool

CWE-412

Unrestricted Externally Accessible Lock