Security Bulletin: A vulnerability in messagepack affects IBM Robotic Process Automation and my result in excessive CPU consumption (CVE-2024-48924).

Summary A vulnerability in messagepack affects IBM Robotic Process Automation and my result in excessive CPU consumption. Messagepack is used by IBM Robotic Process Automation to serialize and deserialize data. This bulleten identifies the fixes required to resolve the vulnerability. Vulnerabilit...

GHSA-GJCC-JVGW-WVWJ Litestar allows unbounded resource consumption (DoS vulnerability)

Summary Litestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parsers to map request content to structured data types. Multiple of those parsers do not have size limits when reading the request body into memory, which allo...

Denial Of Service (DoS)

MessagePack is vulnerable to a Denial Of Service DoS. This vulnerability is due to hash collisions triggered by specially crafted data, which allows an attacker to cause excessive CPU consumption during deserialization of untrusted data. A workaround involves creating a custom hash function by...

CVE-2024-48924

Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialize...

CVE-2024-48924 MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow

Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialize...

CVE-2024-48924

CVE-2024-48924 affects MessagePack-CSharp: deserializing untrusted MessagePack data can cause DoS via hash collisions, causing high CPU usage and potential stack overflow. The issue mirrors an earlier hash-collision advisory and is mitigated by upgrading to a patched library version and applying ...

CVE-2024-48924 MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow

Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialize...

CVE-2024-48924 MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow

Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialize...

Use of Weak Hash

Overview MessagePack is a MessagePackMsgPack Serializer for C.NET, .NET Core, Unity, Xamarin. Affected versions of this package are vulnerable to Use of Weak Hash through the deserialization process. An attacker can cause a denial of service by sending specially crafted data that leads to hash...

MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow

Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialize...

GHSA-4QM4-8HG2-G2XM MessagePack allows untrusted data to lead to DoS attack due to hash collisions and stack overflow

Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialize...

PT-2024-33272 · Unknown · Messagepack-Csharp

Name of the Vulnerable Software and Affected Versions: MessagePack-CSharp versions prior to 2.5.187 and 3.0.214 Description: The vulnerability occurs when the library is used to deserialize messagepack data from an untrusted source, leading to a risk of a denial of service attack by an attacker...

MessagePack for C# 安全漏洞

MessagePack for C is a MessagePack serializer from the MessagePack-CSharp open source. A security vulnerability exists in MessagePack for C versions prior to 2.5.187 and versions prior to 2.6.95-alpha through 3.0.214-rc.1, which stems from a disproportionately large amount of CPU consumption duri...

The vulnerability of the MessagePack NodeJS/JavaScript msgpackr implementation allows a hacker to cause a service failure.

The vulnerability of the MessagePack NodeJS/JavaScript msgpackr implementation lies in the ability for users to execute suspended threads, creating messages that lock the decoder. Exploiting this vulnerability could allow a remote attacker to cause a service failure...

ROS-20240418-08

A vulnerability in the Browserify-sign cryptographic functionality duplication package is related to the upper bound check in the dsaVerify function. Exploitation of the vulnerability could allow an attacker, acting remotely, to create signatures that can be successfully verified by any public ke...

CVE-2023-52079 Conversion of property names to strings can trigger infinite recursion

msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured...

Metasploit Weekly Wrap-Up

New module content 2 Gather Dbeaver Passwords Author: Kali-Team Type: Post Pull request: 17337 contributed by cn-kali-team Description: This adds a post exploit module that retrieves Dbeaver session data from local configuration files. It is able to extract and decrypt credentials stored in these...

MessagePack for Golang subject to DoS via Unmarshal panic

Unmarshal can panic on some inputs, possibly allowing for denial of service attacks. This issue has been patched in version 2.1.1...

GHSA-JR77-8GX4-H5QH MessagePack for Golang subject to DoS via Unmarshal panic

Unmarshal can panic on some inputs, possibly allowing for denial of service attacks. This issue has been patched in version 2.1.1...

NVFLARE unsafe deserialization due to Pickle

Impact NVFLARE contains a vulnerability where deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity. All versions before 2.1.4 are affected. CVSS Score =...