Frigate NVR Vulnerable to Denial of Service Attack via Large Unicode Filenames

CVE-2024-32874

6.8MEDIUM

Key Information

Vendor: Blakeblackshear
Status: Frigate
Vendor: CVE Published:; 14 May 2024

Summary

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`.

Affected Version(s)

frigate = <= 0.13.2

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
May 14, 2024
Vulnerability Reserved.
Apr 19, 2024

Collectors

NVD DatabaseMitre Database