CVE-2024-52797 – Searching Opencast may cause a denial of service

https://notcve.org/view.php?id=CVE-2024-52797

Opencast is free and open source software for automated video capture and distribution. First noticed in Opencast 13 and 14, Opencast's Elasticsearch integration may generate syntactically invalid Elasticsearch queries in relation to previously acceptable search queries. From Opencast version 11.4 and newer, Elasticsearch queries are retried a configurable number of times in the case of error to handle temporary losses of connection to Elasticsearch. These invalid queries would fail, causing the retry mechanism to begin requerying with the same syntactically invalid query immediately, in an infinite loop. This causes a massive increase in log size which can in some cases cause a denial of service due to disk exhaustion. Opencast 13.10 and Opencast 14.3 contain patches which address the base issue, with Opencast 16.7 containing changes which harmonize the search behaviour between the admin UI and external API. • https://github.com/opencast/opencast/security/advisories/GHSA-jh6x-7xfg-9cq2 https://github.com/opencast/opencast/pull/5033 https://github.com/opencast/opencast/pull/5150 • CWE-770: Allocation of Resources Without Limits or Throttling •