CVE-2023-38505

DietPi-Dashboard is a web dashboard for the operating system DietPi. The dashboard only allows for one TLS handshake to be in process at a given moment. Once a TCP connection is established in HTTPS mode, it will assume that it should be waiting for a handshake, and will stay this way indefinitely until a handshake starts or some error occurs. In version 0.6.1, this can be exploited by simply not starting the handshake, preventing any other TLS handshakes from getting through. An attacker can lock the dashboard in a state where it is waiting for a TLS handshake from the attacker, who won't provide it. This prevents any legitimate traffic from getting to the dashboard, and can last indefinitely. Version 0.6.2 has a patch for this issue. As a workaround, do not use HTTPS mode on the open internet where anyone can connect. Instead, put a reverse proxy in front of the dashboard, and have it handle any HTTPS connections.
Configurations

Configuration 1 (hide)

cpe:2.3:a:dietpi-dashboard_project:dietpi-dashboard:0.6.1:*:*:*:*:rust:*:*

History

21 Nov 2024, 08:13

Type Values Removed Values Added
References () https://asciinema.org/a/8nRKbdf7AkPLmP3QxFZUSmPwp?t=7 - Exploit () https://asciinema.org/a/8nRKbdf7AkPLmP3QxFZUSmPwp?t=7 - Exploit
References () https://github.com/ravenclaw900/DietPi-Dashboard/commit/79cd78615d28f577454415e4baafe4dcd9d09666 - Patch () https://github.com/ravenclaw900/DietPi-Dashboard/commit/79cd78615d28f577454415e4baafe4dcd9d09666 - Patch
References () https://github.com/ravenclaw900/DietPi-Dashboard/pull/606 - Issue Tracking, Patch () https://github.com/ravenclaw900/DietPi-Dashboard/pull/606 - Issue Tracking, Patch
References () https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 - Vendor Advisory () https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 - Vendor Advisory

03 Aug 2023, 13:40

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CWE CWE-412
CWE-410
CWE-667
CPE cpe:2.3:a:dietpi-dashboard_project:dietpi-dashboard:0.6.1:*:*:*:*:rust:*:*
References (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/pull/606 - (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/pull/606 - Issue Tracking, Patch
References (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/commit/79cd78615d28f577454415e4baafe4dcd9d09666 - (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/commit/79cd78615d28f577454415e4baafe4dcd9d09666 - Patch
References (MISC) https://asciinema.org/a/8nRKbdf7AkPLmP3QxFZUSmPwp?t=7 - (MISC) https://asciinema.org/a/8nRKbdf7AkPLmP3QxFZUSmPwp?t=7 - Exploit
References (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 - (MISC) https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 - Vendor Advisory
First Time Dietpi-dashboard Project dietpi-dashboard
Dietpi-dashboard Project

27 Jul 2023, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-27 19:15

Updated : 2024-11-21 08:13


NVD link : CVE-2023-38505

Mitre link : CVE-2023-38505

CVE.ORG link : CVE-2023-38505


JSON object : View

Products Affected

dietpi-dashboard_project

  • dietpi-dashboard
CWE
CWE-410

Insufficient Resource Pool

CWE-412

Unrestricted Externally Accessible Lock

CWE-667

Improper Locking