#VU99350 Memory leak in aircompressor - CVE-2024-36114

Cybersecurity Help s.r.o.

Published: 2024-10-25

Vulnerability identifier: #VU99350

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-36114

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
aircompressor
Other software / Other software solutions

Vendor: airlift

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when handling untrusted input. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

aircompressor: 0.1 - 0.26

External links
https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4
https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071
https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e
https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f
https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Asset Data Dictionary Component update for airlift aircompressor

Multiple vulnerabilities in IBM Cognos Dashboards on Cloud Pak for Data

Multiple vulnerabilities in Oracle Business Intelligence Enterprise Edition

Splunk Enterprise update for third-party components

Denial of service in Airlift Aircompressor