CVE-2024-9953

A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.
Configurations

Configuration 1 (hide)

cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*

History

17 Oct 2024, 20:59

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.9
CPE cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*
References () https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity - () https://github.com/CERTCC/VINCE/issues?q=label%3Asecurity - Patch
First Time Cert
Cert vince

15 Oct 2024, 15:15

Type Values Removed Values Added
Summary (en) A Potential DOS Vulnerability exists in CERT VINCE software prior to version 3.0.8. An authenticated administrative user can inject an arbitrary pickle object as part of a user's profile. This can lead to a potential DoS on the server when the user's profile is accessed. Django server does restrict unpickling from crashing the server. (en) A potential denial-of-service (DoS) vulnerability exists in CERT VINCE software versions prior to 3.0.8. An authenticated administrative user can inject an arbitrary pickle object into a user’s profile, which may lead to a DoS condition when the profile is accessed. While the Django server restricts unpickling to prevent server crashes, this vulnerability could still disrupt operations.

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de denegación de servicio potencial en el software CERT VINCE anterior a la versión 3.0.8. Un usuario administrativo autenticado puede inyectar un objeto pickle arbitrario como parte del perfil de un usuario. Esto puede provocar una posible denegación de servicio en el servidor cuando se accede al perfil del usuario. El servidor Django impide que la desinstalación del pickle haga que el servidor se bloquee.

14 Oct 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-14 22:15

Updated : 2024-10-17 20:59


NVD link : CVE-2024-9953

Mitre link : CVE-2024-9953

CVE.ORG link : CVE-2024-9953


JSON object : View

Products Affected

cert

  • vince
CWE
CWE-502

Deserialization of Untrusted Data