CVE-2024-28214

Published Mar 7, 2024

Last updated 10 months ago

CVSS low 2.7

Overview

Description
nGrinder before 3.5.9 allows to set delay without limitation, which could be the cause of Denial of Service by remote attacker.
Source
cve@navercorp.com
NVD status
Analyzed
Products
ngrinder

Risk scores

CVSS 3.1

Type
Secondary
Base score
2.7
Impact score
1.4
Exploitability score
1.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Severity
LOW

Weaknesses

cve@navercorp.com
CWE-405
nvd@nist.gov
NVD-CWE-Other

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. nGrinder before 3.5.9 allows an attacker to obtain the results of webhook requests due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.CVE-2024-28216
  2. nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.CVE-2024-28215
  3. nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization.CVE-2024-28213
  4. nGrinder before 3.5.9 uses old version of SnakeYAML, which could allow remote attacker to execute arbitrary code via unsafe deserialization.CVE-2024-28212
  5. nGrinder before 3.5.9 allows connection to malicious JMX/RMI server by default, which could be the cause of executing arbitrary code via RMI registry by remote attacker.CVE-2024-28211

References

Sources include official advisories and independent security research.