CVE-2024-8939

A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2024-8939
https://bugzilla.redhat.com/show_bug.cgi?id=2312782

Configurations

No configuration.

History

No history.

Information

Published : 2024-09-17 17:15

Updated : 2024-09-20 12:30

NVD link : CVE-2024-8939

Mitre link : CVE-2024-8939

CVE.ORG link : CVE-2024-8939

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2024-8939", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.5}]}, "published": "2024-09-17T17:15:11.327", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-8939", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312782", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en el componente de servicio de modelos ilab, donde el manejo inadecuado del par\u00e1metro best_of en la API web JSON vllm puede provocar una denegaci\u00f3n de servicio (DoS). La API utilizada para completar oraciones o chats basados en LLM acepta un par\u00e1metro best_of para devolver la mejor opci\u00f3n de varias opciones. Cuando este par\u00e1metro se establece en un valor alto, la API no maneja los tiempos de espera o el agotamiento de recursos de manera adecuada, lo que permite que un atacante provoque una denegaci\u00f3n de servicio al consumir recursos excesivos del sistema. Esto hace que la API deje de responder, lo que impide que los usuarios leg\u00edtimos accedan al servicio."}], "lastModified": "2024-09-20T12:30:51.220", "sourceIdentifier": "secalert@redhat.com"}