CVE-2024-32874 - Vulnerability Details - OpenCVE

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Frigate	Frigate

No data.

No data.

References

Link	Providers
https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-09T14:20:04.499Z

Updated: 2024-08-02T02:20:35.681Z

Reserved: 2024-04-19T14:07:11.229Z

Link: CVE-2024-32874

Vulnrichment

Updated: 2024-05-10T18:14:14.991Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T15:37:13.483

Modified: 2024-11-21T09:15:54.833

Link: CVE-2024-32874

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32874", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-19T14:07:11.229Z", "datePublished": "2024-05-09T14:20:04.499Z", "dateUpdated": "2024-08-02T02:20:35.681Z"}, "containers": {"cna": {"title": "In Frigate, Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq"}, {"name": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442", "tags": ["x_refsource_MISC"], "url": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "<= 0.13.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-09T14:20:56.118Z"}, "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`."}], "source": {"advisory": "GHSA-w4h6-9wrp-v5jq", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "frigate", "product": "frigate", "cpes": ["cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.13.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-10T18:13:38.649226Z", "id": "CVE-2024-32874", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T17:35:41.883Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.681Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq"}, {"name": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32874", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-19T14:07:11.229Z", "datePublished": "2024-05-09T14:20:04.499Z", "dateUpdated": "2024-06-06T17:35:41.883Z"}, "containers": {"cna": {"title": "In Frigate, Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq"}, {"name": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442", "tags": ["x_refsource_MISC"], "url": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "<= 0.13.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-09T14:20:56.118Z"}, "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`."}], "source": {"advisory": "GHSA-w4h6-9wrp-v5jq", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-10T18:13:38.649226Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*"], "vendor": "frigate", "product": "frigate", "versions": [{"status": "affected", "version": "0", "lessThan": "0.13.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-10T18:14:14.991Z"}}]}}

{"descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`."}, {"lang": "es", "value": "Frigate es un grabador de v\u00eddeo en red (NVR) con detecci\u00f3n de objetos locales en tiempo real para c\u00e1maras IP. Por debajo de la versi\u00f3n 0.13.2, al cargar un archivo o recuperar el nombre del archivo, un usuario puede usar intencionalmente un nombre de archivo Unicode grande, lo que conducir\u00eda a una denegaci\u00f3n de servicio a nivel de aplicaci\u00f3n. Esto se debe a que no se ha establecido ninguna limitaci\u00f3n en la longitud del nombre de archivo y al costoso uso de la normalizaci\u00f3n Unicode con el formulario NFKD bajo el cap\u00f3 de `secure_filename()`."}], "id": "CVE-2024-32874", "lastModified": "2024-11-21T09:15:54.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-05-14T15:37:13.483", "references": [{"source": "[email protected]", "url": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442"}, {"source": "[email protected]", "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "[email protected]", "type": "Secondary"}]}