Kirby up to 3.9.6 allocation of resources

Summaryinfo

A vulnerability marked as problematic has been reported in Kirby up to 3.5.8.3/3.6.6.3/3.7.5.2/3.8.4.1/3.9.6. Affected is an unknown function. Performing a manipulation results in allocation of resources. This vulnerability is known as CVE-2023-38492. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in Kirby up to 3.5.8.3/3.6.6.3/3.7.5.2/3.8.4.1/3.9.6. This affects an unknown code. The manipulation with an unknown input leads to a allocation of resources vulnerability. CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. This is going to have an impact on availability. The summary by CVE is:

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities. Kirby's authentication endpoint did not limit the password length. This allowed attackers to provide a password with a length up to the server's maximum request body length. Validating that password against the user's actual password requires hashing the provided password, which requires more CPU and memory resources (and therefore processing time) the longer the provided password gets. This could be abused by an attacker to cause the website to become unresponsive or unavailable. Because Kirby comes with a built-in brute force protection, the impact of this vulnerability is limited to 10 failed logins from each IP address and 10 failed logins for each existing user per hour. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have added password length limits in the affected code so that passwords longer than 1000 bytes are immediately blocked, both when setting a password and when logging in.

The weakness was published 07/27/2023 as GHSA-3v6j-v3qc-cxff. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2023-38492 since 07/18/2023. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

Upgrading to version 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1 or 3.9.6 eliminates this vulnerability. Applying the patch 0e10ce3b0c2b88656564b8ff518ddc99136ac43e is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Name

• Kirby

Version

• 3.5.8.0
• 3.5.8.1
• 3.5.8.2
• 3.5.8.3
• 3.6.6.0
• 3.6.6.1
• 3.6.6.2
• 3.6.6.3
• 3.7.5.0
• 3.7.5.1
• 3.7.5.2
• 3.8.4.0
• 3.8.4.1
• 3.9.0
• 3.9.1
• 3.9.2
• 3.9.3
• 3.9.4
• 3.9.5
• 3.9.6

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion