cvelistv5 - CVE-2023-25578

CVE-2023-25578 (GCVE-0-2023-25578)

Vulnerability from cvelistv5

Published

2023-02-15 14:58

Modified

2025-03-10 21:10

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.

References

URL	Tags
security-advisories@github.com	https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83	Patch
security-advisories@github.com	https://github.com/starlite-api/starlite/releases/tag/v1.51.2	Release Notes
security-advisories@github.com	https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/starlite-api/starlite/releases/tag/v1.51.2	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	starlite-api	starlite	Version: < 1.51.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:25:19.300Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
          },
          {
            "name": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
          },
          {
            "name": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25578",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T21:01:52.089906Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:10:58.235Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "starlite",
          "vendor": "starlite-api",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.51.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-15T14:58:31.829Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
        },
        {
          "name": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
        },
        {
          "name": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
        }
      ],
      "source": {
        "advisory": "GHSA-p24m-863f-fm6q",
        "discovery": "UNKNOWN"
      },
      "title": "Starlite DoS vulnerability when parsing multipart request body"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-25578",
    "datePublished": "2023-02-15T14:58:31.829Z",
    "dateReserved": "2023-02-07T17:10:00.743Z",
    "dateUpdated": "2025-03-10T21:10:58.235Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-25578\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-15T15:15:11.883\",\"lastModified\":\"2024-11-21T07:49:45.860\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:starliteproject:starlite:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.51.2\",\"matchCriteriaId\":\"25F2731E-8C59-43E0-9F2F-1A5257FC77E0\"}]}]}],\"references\":[{\"url\":\"https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/starlite-api/starlite/releases/tag/v1.51.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/starlite-api/starlite/releases/tag/v1.51.2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Starlite DoS vulnerability when parsing multipart request body\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-770\", \"lang\": \"en\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q\"}, {\"name\": \"https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83\"}, {\"name\": \"https://github.com/starlite-api/starlite/releases/tag/v1.51.2\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/starlite-api/starlite/releases/tag/v1.51.2\"}], \"affected\": [{\"vendor\": \"starlite-api\", \"product\": \"starlite\", \"versions\": [{\"version\": \"\u003c 1.51.2\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-02-15T14:58:31.829Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.\\n\"}], \"source\": {\"advisory\": \"GHSA-p24m-863f-fm6q\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:25:19.300Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q\"}, {\"name\": \"https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83\"}, {\"name\": \"https://github.com/starlite-api/starlite/releases/tag/v1.51.2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/starlite-api/starlite/releases/tag/v1.51.2\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-25578\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T21:01:52.089906Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T21:01:53.700Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-25578\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-02-07T17:10:00.743Z\", \"datePublished\": \"2023-02-15T14:58:31.829Z\", \"dateUpdated\": \"2025-03-10T21:10:58.235Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2023-25578

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-25578

Aliases

CVE-2023-25578

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-25578",
    "id": "GSD-2023-25578"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-25578"
      ],
      "details": "Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.",
      "id": "GSD-2023-25578",
      "modified": "2023-12-13T01:20:40.768541Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-25578",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "starlite",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.51.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "starlite-api"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-770",
                "lang": "eng",
                "value": "CWE-770: Allocation of Resources Without Limits or Throttling"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q",
            "refsource": "MISC",
            "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
          },
          {
            "name": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83",
            "refsource": "MISC",
            "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
          },
          {
            "name": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2",
            "refsource": "MISC",
            "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-p24m-863f-fm6q",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.51.2",
          "affected_versions": "All versions before 1.51.2",
          "cwe_ids": [
            "CWE-1035",
            "CWE-707",
            "CWE-937"
          ],
          "date": "2023-02-15",
          "description": "Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.",
          "fixed_versions": [
            "1.51.2"
          ],
          "identifier": "CVE-2023-25578",
          "identifiers": [
            "GHSA-p24m-863f-fm6q",
            "CVE-2023-25578"
          ],
          "not_impacted": "All versions starting from 1.51.2",
          "package_slug": "pypi/starlite",
          "pubdate": "2023-02-15",
          "solution": "Upgrade to version 1.51.2 or above.",
          "title": "Improper Neutralization",
          "urls": [
            "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-25578",
            "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83",
            "https://github.com/starlite-api/starlite/releases/tag/v1.51.2",
            "https://github.com/advisories/GHSA-p24m-863f-fm6q"
          ],
          "uuid": "f8d8fae0-8409-4a00-b6a0-744a74173bb8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:starliteproject:starlite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.51.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-25578"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
            },
            {
              "name": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
            },
            {
              "name": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-02-24T16:16Z",
      "publishedDate": "2023-02-15T15:15Z"
    }
  }
}

fkie_cve-2023-25578

Vulnerability from fkie_nvd

Published

2023-02-15 15:15

Modified

2024-11-21 07:49

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83	Patch
security-advisories@github.com	https://github.com/starlite-api/starlite/releases/tag/v1.51.2	Release Notes
security-advisories@github.com	https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/starlite-api/starlite/releases/tag/v1.51.2	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	starliteproject	starlite	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:starliteproject:starlite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "25F2731E-8C59-43E0-9F2F-1A5257FC77E0",
              "versionEndExcluding": "1.51.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.\n"
    }
  ],
  "id": "CVE-2023-25578",
  "lastModified": "2024-11-21T07:49:45.860",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-15T15:15:11.883",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-p24m-863f-fm6q

Vulnerability from github

Published

2023-02-15 17:42

Modified

2024-10-28 14:38

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Denial of service vulnerability when parsing multipart request body

Details

Summary

The request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM.

Details

The multipart body parser processes an unlimited number of file parts. The multipart body parser processes an unlimited number of field parts.

Impact

This is a remote, potentially unauthenticated Denial of Service vulnerability.

This vulnerability affects applications with a request handler that accepts a Body(media_type=RequestEncodingType.MULTI_PART).

The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "starlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.51.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-15T17:42:42Z",
    "nvd_published_at": "2023-02-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe request body parsing in `starlite` allows a potentially unauthenticated\n attacker to consume a large amount of CPU time and RAM.\n\n### Details\n\nThe multipart body parser processes an unlimited number of file parts.\nThe multipart body parser processes an unlimited number of field parts.\n\n### Impact\n\nThis is a remote, potentially unauthenticated Denial of Service vulnerability.\n\nThis vulnerability affects applications with a request handler that accepts\n a `Body(media_type=RequestEncodingType.MULTI_PART)`.\n\nThe large amount of CPU time required for processing requests can block all\n available worker processes and significantly delay or slow down the processing\n of legitimate user requests.\nThe large amount of RAM accumulated while processing requests can lead to\n Out-Of-Memory kills.\nComplete DoS is achievable by sending many concurrent multipart requests in a\n loop.\n",
  "id": "GHSA-p24m-863f-fm6q",
  "modified": "2024-10-28T14:38:20Z",
  "published": "2023-02-15T17:42:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25578"
    },
    {
      "type": "WEB",
      "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlite/PYSEC-2023-49.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/starlite-api/starlite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Denial of service vulnerability when parsing multipart request body"
}

pysec-2023-49

Vulnerability from pysec

Published

2023-02-15 15:15

Modified

2023-05-04 03:49

Details

Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a Body(media_type=RequestEncodingType.MULTI_PART). The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.

Impacted products

Name	purl
starlite	pkg:pypi/starlite

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "starlite",
        "purl": "pkg:pypi/starlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9674fe803628f986c03fe60769048cbc55b5bf83"
            }
          ],
          "repo": "https://github.com/starlite-api/starlite",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.51.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1a0",
        "0.1.0",
        "0.1.0b1",
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.2.0",
        "0.2.1",
        "0.3.0",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.5.0",
        "0.6.0",
        "0.7.0",
        "0.7.1",
        "0.7.2",
        "1.0.0",
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.1.0",
        "1.1.1",
        "1.10.0",
        "1.10.1",
        "1.11.0",
        "1.11.1",
        "1.12.0",
        "1.13.0",
        "1.13.1",
        "1.14.0",
        "1.14.1",
        "1.14.2",
        "1.15.0",
        "1.16.0",
        "1.16.1",
        "1.16.2",
        "1.17.0",
        "1.17.1",
        "1.17.2",
        "1.18.0",
        "1.18.1",
        "1.19.0",
        "1.2.0",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.20.0",
        "1.21.0",
        "1.21.1",
        "1.21.2",
        "1.23.0",
        "1.23.1",
        "1.24.0",
        "1.25.0",
        "1.26.0",
        "1.26.1",
        "1.27.0",
        "1.28.0",
        "1.28.1",
        "1.29.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.3.8",
        "1.3.9",
        "1.30.0",
        "1.31.0",
        "1.32.0",
        "1.33.0",
        "1.34.0",
        "1.35.0",
        "1.35.1",
        "1.36.0",
        "1.37.0",
        "1.38.0",
        "1.39.0",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.40.0",
        "1.40.1",
        "1.41.0",
        "1.42.0",
        "1.43.0",
        "1.43.1",
        "1.44.0",
        "1.45.0",
        "1.45.1",
        "1.46.0",
        "1.47.0",
        "1.48.0",
        "1.48.1",
        "1.49.0",
        "1.5.0",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.50.0",
        "1.50.1",
        "1.50.2",
        "1.51.0",
        "1.51.1",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.8.0",
        "1.8.1",
        "1.9.0",
        "1.9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25578",
    "GHSA-p24m-863f-fm6q"
  ],
  "details": "Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.5.2, the request body parsing in `starlite` allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and an unlimited number of field parts. This is a remote, potentially unauthenticated Denial of Service vulnerability. This vulnerability affects applications with a request handler that accepts a `Body(media_type=RequestEncodingType.MULTI_PART)`. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large amount of RAM accumulated while processing requests can lead to Out-Of-Memory kills. Complete DoS is achievable by sending many concurrent multipart requests in a loop. Version 1.51.2 contains a patch for this issue.",
  "id": "PYSEC-2023-49",
  "modified": "2023-05-04T03:49:48.263994Z",
  "published": "2023-02-15T15:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/starlite-api/starlite/releases/tag/v1.51.2"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/starlite-api/starlite/security/advisories/GHSA-p24m-863f-fm6q"
    },
    {
      "type": "FIX",
      "url": "https://github.com/starlite-api/starlite/commit/9674fe803628f986c03fe60769048cbc55b5bf83"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-25578 (GCVE-0-2023-25578)

Vulnerability from cvelistv5

gsd-2023-25578

Vulnerability from gsd

fkie_cve-2023-25578

Vulnerability from fkie_nvd

ghsa-p24m-863f-fm6q

Vulnerability from github

Summary

Details

Impact

pysec-2023-49

Vulnerability from pysec

Tags

Sightings

Nomenclature