上传具有特定文件名的图像会导致服务器端 DoS (CVE-2024-23826)
CVE编号
CVE-2024-23826利用情况
暂无补丁情况
N/A披露时间
2024-01-30漏洞描述
spbu_se_site is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is due to no limitation of the length of the filename and the costly use of the Unicode normalization with the form NFKD on Windows OS. This vulnerability was fixed in the 2024.01.29 release.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/spbu-se/spbu_se_site/commit/5ad623eb0405260763046343c5785b... | |
| https://github.com/spbu-se/spbu_se_site/security/advisories/GHSA-5vfc-v7hg-pvwm |
- 攻击路径 网络
- 攻击复杂度 低
- 权限要求 低
- 影响范围 未更改
- 用户交互 需要
- 可用性 高
- 保密性 低
- 完整性 低
| CWE-ID | 漏洞类型 |
| CWE-770 | 不加限制或调节的资源分配 |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论