Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2024-45590

Asymmetric Resource Consumption (Amplification)

Published: Sep 10, 2024 | Modified: Sep 20, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-45590
CWEhttps://cwe.mitre.org/data/definitions/405.html

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Weakness

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary’s influence is “asymmetric.”

Affected Software

Name Vendor Start Version End Version
Body-parser Openjsf * 1.20.3 (excluding)
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-cli-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-console-plugin-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-ebpf-agent-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-flowlogs-pipeline-rhel9:v1.7.0-67 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-operator-bundle:1.7.0-86 *
NETWORK-OBSERVABILITY-1.7.0-RHEL-9 RedHat network-observability/network-observability-rhel9-operator:v1.7.0-67 *
Red Hat Advanced Cluster Security 4.4 RedHat advanced-cluster-security/rhacs-main-rhel8:4.4.6-2 *
Red Hat Advanced Cluster Security 4.5 RedHat advanced-cluster-security/rhacs-main-rhel8:4.5.5-3 *
Red Hat Migration Toolkit for Containers 1.8 RedHat rhmtc/openshift-migration-ui-rhel8:v1.8.5-7 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/argocd-rhel8:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/argo-rollouts-rhel8:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/console-plugin-rhel8:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/dex-rhel8:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/gitops-operator-bundle:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/gitops-rhel8:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/gitops-rhel8-operator:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/kam-delivery-rhel8:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 RedHat openshift-gitops-1/must-gather-rhel8:v1.12.6-2 *
Red Hat OpenShift GitOps 1.12 - RHEL 9 RedHat openshift-gitops-argocd-rhel9-container-v1.12.6-1 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/argocd-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/argo-rollouts-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/console-plugin-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/dex-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/gitops-operator-bundle:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/gitops-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/gitops-rhel8-operator:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/kam-delivery-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-1/must-gather-rhel8:v1.13.2-4 *
Red Hat OpenShift GitOps 1.13 RedHat openshift-gitops-argocd-rhel9-container-v1.13.2-5 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/grafana-rhel8:2.5.5-3 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/istio-cni-rhel8:2.5.5-4 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/istio-must-gather-rhel8:2.5.5-4 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/kiali-ossmc-rhel8:1.73.14-3 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/kiali-rhel8:1.73.15-3 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/pilot-rhel8:2.5.5-4 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/proxyv2-rhel8:2.5.5-6 *
Red Hat OpenShift Service Mesh 2.5 for RHEL 8 RedHat openshift-service-mesh/ratelimit-rhel8:2.5.5-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/grafana-rhel8:2.6.2-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/istio-cni-rhel8:2.6.2-5 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/istio-must-gather-rhel8:2.6.2-4 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/istio-rhel8-operator:2.6.2-5 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/kiali-ossmc-rhel8:1.89.2-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/kiali-rhel8:1.89.4-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/kiali-rhel8-operator:1.89.6-1 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/pilot-rhel8:2.6.2-5 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 8 RedHat openshift-service-mesh/ratelimit-rhel8:2.6.2-3 *
Red Hat OpenShift Service Mesh 2.6 for RHEL 9 RedHat openshift-service-mesh/proxyv2-rhel9:2.6.2-7 *
RHODF-4.16-RHEL-9 RedHat odf4/mcg-core-rhel9:v4.16.3-1 *
RHODF-4.17-RHEL-9 RedHat odf4/mcg-core-rhel9:v4.17.0-69 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-agent-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-all-in-one-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-collector-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-es-index-cleaner-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-es-rollover-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-ingester-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-operator-bundle *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-query-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-rhel8-operator *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-agent-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-all-in-one-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-collector-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-es-index-cleaner-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-es-rollover-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-ingester-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-operator-bundle *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-query-rhel8 *
Red Hat OpenShift distributed tracing 3 RedHat jaeger-rhel8-operator *
Red Hat Trusted Profile Analyzer RedHat rhtpa-trustification-service-rhel9 *
Red Hat Trusted Profile Analyzer RedHat rhtpa-guac-rhel9 *
Node-body-parser Ubuntu upstream *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use