CVE-2024-39702

MEDIUM EPSS 42.1%
Published Jul 23, 20241y ago · Modified Jun 17, 20261w ago
5.9 CVSS 3.1
Medium
Find Similar
Published Jul 23, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.

CVSS Details

Base Score
5.9
Exploitability
2.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
42.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-407

Affected Products 3

VendorProductVersionRange
openrestyopenresty*≥1.19.3.1  –  <1.19.9.2
openrestyopenresty*≥1.21.4.1  –  <1.21.4.4
openrestyopenresty1.25.3.1any

References 1

  • openresty.org https://openresty.org/en/ann-1025003002.html
    Patch

Remediation

  • openresty.org https://openresty.org/en/ann-1025003002.html
    Patch