CVE-2024-1930
MEDIUMdnf5 < 5.1.17 - Denial of Service via Unlimited D-Bus Session Creation
Title source: llmDescription
No Limit on Number of Open Sessions / Bad Session Close Behaviour in dnf5daemon-server before 5.1.17 allows a malicious user to impact Availability via No Limit on Number of Open Sessions. There is no limit on how many sessions D-Bus clients may create using the `open_session()` D-Bus method. For each session a thread is created in dnf5daemon-server. This spends a couple of hundred megabytes of memory in the process. Further connections will become impossible, likely because no more threads can be spawned by the D-Bus service.
References (1)
Core 1
Core References
Exploit, Mailing List, Third Party Advisory
https://www.openwall.com/lists/oss-security/2024/03/04/2
Scores
CVSS v3
6.5
EPSS
0.0030
EPSS Percentile
21.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (1)
rpm-software-management/dnf5
< 5.1.17
Published
May 08, 2024
Tracked Since
Feb 18, 2026