CVE-2024-55653: pwndoc's UnhandledPromiseRejection on audits causes Denial of Service (DoS)

6.5 CVSS

Description

PwnDoc is a penetration test report generator. In versions up to and including 0.5.3, an authenticated user is able to crash the backend by raising a `UnhandledPromiseRejection` on audits which exits the backend. The user doesn't need to know the audit id, since a bad audit id will also raise the rejection. With the backend being unresponsive, the whole application becomes unusable for all users of the application. As of time of publication, no known patches are available.

Classification

CVE ID: CVE-2024-55653

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

Affected Products

Vendor: pwndoc

Product: pwndoc

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/pwndoc/pwndoc/security/advisories/GHSA-ggqg-3f7v-c8rc

Timeline

2024-12-11 00:31:12 UTC
CVE

pwndoc's UnhandledPromiseRejection on audits causes Denial of Service (DoS)