CVE-2024-43410 – Russh has an OOM Denial of Service due to allocation of untrusted amount
https://notcve.org/view.php?id=CVE-2024-43410
Russh is a Rust SSH client & server library. Allocating an untrusted amount of memory allows any unauthenticated user to OOM a russh server. An SSH packet consists of a 4-byte big-endian length, followed by a byte stream of this length. After parsing and potentially decrypting the 4-byte length, russh allocates enough memory for this bytestream, as a performance optimization to avoid reallocations later. But this length is entirely untrusted and can be set to any value by the client, causing this much memory to be allocated, which will cause the process to OOM within a few such requests. This vulnerability is fixed in 0.44.1. • https://github.com/Eugeny/russh/security/advisories/GHSA-vgvv-x7xg-6cqg https://github.com/Eugeny/russh/commit/f660ea3f64b86d11d19e33076012069f02431e55 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-23185 – dovecot: very large headers can cause resource exhaustion when parsing message
https://notcve.org/view.php?id=CVE-2024-23185
So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). • https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2024/oxdc-adv-2024-0003.json https://access.redhat.com/security/cve/CVE-2024-23185 https://bugzilla.redhat.com/show_bug.cgi?id=2305910 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2023-29929
https://notcve.org/view.php?id=CVE-2023-29929
Buffer Overflow vulnerability found in Kemptechnologies Loadmaster before v.7.2.60.0 allows a remote attacker to casue a denial of service via the libkemplink.so, isreverse library. • https://github.com/YSaxon/CVE-2023-29929 http://kemptechnologies.com http://loadmaster.com • CWE-787: Out-of-bounds Write •
CVE-2024-25009 – Ericsson Packet Core Controller (PCC) - Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2024-25009
Ericsson Packet Core Controller (PCC) contains a vulnerability in Access and Mobility Management Function (AMF) where improper input validation can lead to denial of service which may result in service degradation. • https://www.ericsson.com/en/about-us/security/psirt/security-bulletin-ericsson-packet-core-controller-pcc-august-2024 • CWE-20: Improper Input Validation •
CVE-2024-38808 – CVE-2024-38808: Spring Expression DoS Vulnerability
https://notcve.org/view.php?id=CVE-2024-38808
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions. ... A maliciously crafted Spring Expression Language (SePL) may trigger uncontrolled CPU usage, leading to a denial of service in the application consuming it. • https://spring.io/security/cve-2024-38808 https://access.redhat.com/security/cve/CVE-2024-38808 https://bugzilla.redhat.com/show_bug.cgi?id=2305959 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •