CVE-2024-32874
published 2024-05-14CVE-2024-32874: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the…
PriorityP430medium6.8CVSS 3.1
AVNACLPRHUINSCCNINAH
EPSS
0.77%
50.9th percentile
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Below 0.13.2 Release, when uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no limitation set on the length of the filename and the costy use of the Unicode normalization with the form NFKD under the hood of `secure_filename()`.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blakeblackshear | frigate | <= 0.13.2 | — |
| frigate | frigate | >= 0 < 0.13.2 | 0.13.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
osv·2024-05-09
CVE-2024-32874 [CRITICAL] Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
**Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete all of your recordings or perform any other action. If you have configured authentication in front of Frigate via a reverse proxy, then this vulnerability is not exploitable without first getting around your authentication method. For many obvious reasons in addition to this one, please don't expose your Frigate instance publicly without any kind of authentication.**
## Summary
When uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no
GHSA
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
ghsa·2024-05-09
CVE-2024-32874 [CRITICAL] CWE-770 Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
**Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete all of your recordings or perform any other action. If you have configured authentication in front of Frigate via a reverse proxy, then this vulnerability is not exploitable without first getting around your authentication method. For many obvious reasons in addition to this one, please don't expose your Frigate instance publicly without any kind of authentication.**
## Summary
When uploading a file or retrieving the filename, a user may intentionally use a large Unicode filename which would lead to a application-level denial of service. This is due to no
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jqhttps://github.com/blakeblackshear/frigate/commit/cc851555e4029647986dccc8b8ecf54afee31442https://github.com/blakeblackshear/frigate/security/advisories/GHSA-w4h6-9wrp-v5jq
2024-05-14
Published