#VU86369 Uncontrolled Memory Allocation in serving - CVE-2023-48713

Cybersecurity Help s.r.o.

Published: 2024-02-13

Vulnerability identifier: #VU86369

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-48713

CWE-ID: CWE-789

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
serving
Other software / Other software solutions

Vendor: Knative

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to unbound memory allocation. A remote user who controls a pod to a degree where they can control the responses from the /metrics endpoint can cause denial-of-service of the autoscaler.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

serving: 0.1.0 - 1.11.2

External links
https://github.com/knative/serving/security/advisories/GHSA-qmvj-4qr9-v547
https://github.com/knative/serving/commit/012ee2509231b80b7842139bfabc30516d3026ca
https://github.com/knative/serving/commit/101f814112b9ca0767f457e7e616b46205551cf1
https://github.com/knative/serving/commit/fff40ef7bac9be8380ec3d1c70fc15b57093382a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM App Connect Enterprise Certified Container