CVE-2024-8939

{"id": "CVE-2024-8939", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.5}]}, "published": "2024-09-17T17:15:11.327", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-8939", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312782", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en el componente de servicio de modelos ilab, donde el manejo inadecuado del par\u00e1metro best_of en la API web JSON vllm puede provocar una denegaci\u00f3n de servicio (DoS). La API utilizada para completar oraciones o chats basados en LLM acepta un par\u00e1metro best_of para devolver la mejor opci\u00f3n de varias opciones. Cuando este par\u00e1metro se establece en un valor alto, la API no maneja los tiempos de espera o el agotamiento de recursos de manera adecuada, lo que permite que un atacante provoque una denegaci\u00f3n de servicio al consumir recursos excesivos del sistema. Esto hace que la API deje de responder, lo que impide que los usuarios leg\u00edtimos accedan al servicio."}], "lastModified": "2024-09-20T12:30:51.220", "sourceIdentifier": "secalert@redhat.com"}