{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8939", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-17T08:06:08.909Z", "datePublished": "2024-09-17T16:21:15.222Z", "dateUpdated": "2025-01-14T08:28:57.142Z"}, "containers": {"cna": {"title": "Vllm: denials of service in vllm json web api", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "0.5.0.post1", "versionType": "custom"}], "packageName": "vllm", "collectionURL": "https://github.com/vllm-project/vllm", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhelai1/bootc-nvidia-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhelai1/instructlab-nvidia-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-8939", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312782", "name": "RHBZ#2312782", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-09-17T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-09-17T08:05:00.413000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-17T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Thibault Guittet for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-14T08:28:57.142Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-17T19:51:11.286179Z", "id": "CVE-2024-8939", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T19:51:22.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8939", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-17T19:51:11.286179Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T19:51:17.705Z"}}], "cna": {"title": "Vllm: denials of service in vllm json web api", "credits": [{"lang": "en", "value": "Red Hat would like to thank Thibault Guittet for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "0.5.0.post1", "versionType": "custom"}], "packageName": "vllm", "collectionURL": "https://github.com/vllm-project/vllm", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "packageName": "rhelai1/bootc-nvidia-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "packageName": "rhelai1/instructlab-nvidia-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-09-17T08:05:00.413000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-17T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-09-17T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-8939", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312782", "name": "RHBZ#2312782", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-14T08:28:57.142Z"}, "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"}}, "cveMetadata": {"cveId": "CVE-2024-8939", "state": "PUBLISHED", "dateUpdated": "2025-01-14T08:28:57.142Z", "dateReserved": "2024-09-17T08:06:08.909Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-17T16:21:15.222Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en el componente de servicio de modelos ilab, donde el manejo inadecuado del par\u00e1metro best_of en la API web JSON vllm puede provocar una denegaci\u00f3n de servicio (DoS). La API utilizada para completar oraciones o chats basados en LLM acepta un par\u00e1metro best_of para devolver la mejor opci\u00f3n de varias opciones. Cuando este par\u00e1metro se establece en un valor alto, la API no maneja los tiempos de espera o el agotamiento de recursos de manera adecuada, lo que permite que un atacante provoque una denegaci\u00f3n de servicio al consumir recursos excesivos del sistema. Esto hace que la API deje de responder, lo que impide que los usuarios leg\u00edtimos accedan al servicio."}], "id": "CVE-2024-8939", "lastModified": "2024-09-20T12:30:51.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-17T17:15:11.327", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-8939"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312782"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Thibault Guittet for reporting this issue.", "bugzilla": {"description": "vllm: Denials of Service in vllm JSON web API", "id": "2312782", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312782"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service.", "A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a best_of parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8939", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/instructlab-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2024-09-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8939\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8939"], "statement": "The improper timeout handling vulnerability in the ilab model serve component is classified as a moderate severity issue rather than an important one because its impact is contingent upon the exposure of the API beyond localhost. While the vulnerability can lead to a Denial of Service (DoS) by causing excessive processing times for requests with a high `best_of` parameter, its effect is primarily localized to the server environment where the API is accessible externally. This means that if the API is not exposed to the public or is adequately secured, the risk of exploitation is significantly reduced. Additionally, the issue does not involve unauthorized data access or compromise of sensitive information, which limits its overall impact.", "threat_severity": "Moderate"}