No Limit on Number of Open Sessions Leads to Memory Exhaustion and Impacts Availability
CVE-2024-1930

6.5MEDIUM

Key Information:

Vendor: Fedora
Status: Dnf5daemon-server
Vendor: CVE Published:; 8 May 2024

Summary

A session management flaw exists in the DNF5 Daemon Server, allowing malicious users to create an unlimited number of open sessions via the open_session() D-Bus method. This behavior results in the generation of multiple threads, each consuming significant memory resources. As the number of sessions grows, the system approaches its memory limits, which ultimately prevents new connections from being established. This may lead to service unavailability, impacting the overall performance of applications reliant on the DNF5 Daemon Server. The vulnerability is significant as it highlights potential risks associated with resource exhaustion in multi-threaded environments.

Affected Version(s)

dnf5daemon-server Linux 5.1.16<=

References

https://www.openwall.com/lists/oss-security/2024/03/04/2

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 8, 2024
Vulnerability Reserved
Feb 27, 2024