#VU100446 Infinite loop in libsoup - CVE-2024-52532

Cybersecurity Help s.r.o.

Published: 2024-11-13

Vulnerability identifier: #VU100446

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-52532

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libsoup
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when reading WebSocket data. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libsoup: 3.0.0 - 3.6.0

External links
https://gitlab.gnome.org/Teams/Releng/security/-/wikis/home
https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell APEX Cloud Platform for Red Hat OpenShift update for third-party components

Dell VxRail Appliance 8.x update for third-party components

Dell VxRail Appliance 7.x update for third-party components

Anolis OS update for libsoup

Multiple vulnerabilities in IBM App Connect Enterprise Certified Container

Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.4

SUSE update for libsoup

SUSE update for libsoup2

SUSE update for libsoup