CVE-2024-22393

Apache Answer: Pixel Flood Attack by uploading the large pixel file

CVSS 9.1 CRITICALEPSS 2.5%CWE-434

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.1EPSS 2.5%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

22 Feb 2024Published on NVD

08 Mar 2024Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Affected products

Apache Software Foundation · Apache Answer

public PoCs found — 3

githubgithub.com/Rk-000/Pixel-Flood-Attack★ 1 githubgithub.com/Rk-000/Apache-Hunter★ 1 githubgithub.com/omranisecurity/CVE-2024-22393★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/f58l6dr4r74hl6o71gn47kmn44vw12cv http://www.openwall.com/lists/oss-security/2024/02/22/1