CVE-2024-9358

Published: Oct 1, 2024

Modified: Oct 1, 2024

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

A vulnerability has been found in ThingsBoard up to 3.7.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component HTTP RPC API. The manipulation leads to resource consumption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.7.1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed on 2024-07-24 about this vulnerability and announced the release of 3.7.1 for the second half of September 2024.

Vendor	Product	Versions
n/a	ThingsBoard	affected `3.0` affected `3.1` affected `3.2` affected `3.3` affected `3.4` +3 more versions

Weaknesses (CWE)

CWE-400

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

VDB-278887 | ThingsBoard HTTP RPC API resource consumption

vdb-entry

VDB-278887 | CTI Indicators (IOB, IOC, TTP)

signature

permissions-required

Submit #379486 | thingsboard v3.7.0 Denial of Service

third-party-advisory

https://1drv.ms/v/s!AksJ421iyCG-mytAcEUF6WqOTwj2?e=6WAp5G

exploit

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-9358

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References