{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-39702", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-26T17:58:14.207Z", "dateReserved": "2024-06-27T00:00:00", "datePublished": "2024-07-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-24T05:07:58.795157"}, "descriptions": [{"lang": "en", "value": "In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://openresty.org/en/ann-1025003002.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-407", "lang": "en", "description": "CWE-407 Inefficient Algorithmic Complexity"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T16:47:26.552022Z", "id": "CVE-2024-39702", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-26T17:58:14.207Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:16.211Z"}, "title": "CVE Program Container", "references": [{"url": "https://openresty.org/en/ann-1025003002.html", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://openresty.org/en/ann-1025003002.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:16.211Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-39702", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T16:47:26.552022Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407 Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T16:47:30.583Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://openresty.org/en/ann-1025003002.html"}], "descriptions": [{"lang": "en", "value": "In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-24T05:07:58.795157"}}}, "cveMetadata": {"cveId": "CVE-2024-39702", "state": "PUBLISHED", "dateUpdated": "2024-11-26T17:58:14.207Z", "dateReserved": "2024-06-27T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-23T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openresty:openresty:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B818A0E-946D-4E48-9F1F-4CB27576504A", "versionEndExcluding": "1.19.9.2", "versionStartIncluding": "1.19.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openresty:openresty:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D342BFC-6D20-48E0-BDFF-8C1F27B3A9F1", "versionEndExcluding": "1.21.4.4", "versionStartIncluding": "1.21.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openresty:openresty:1.25.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "4A759461-C4A4-43A9-B687-B226896D39EC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected."}, {"lang": "es", "value": " En lj_str_hash.c en OpenResty 1.19.3.1 a 1.25.3.1, la funci\u00f3n hash de cadena (utilizada durante el internamiento de cadenas) permite ataques HashDoS (denegaci\u00f3n de servicio de hash). Un atacante podr\u00eda provocar un uso excesivo de recursos durante las operaciones de proxy a trav\u00e9s de solicitudes manipuladas, lo que podr\u00eda provocar una denegaci\u00f3n de servicio con relativamente pocas solicitudes entrantes. Esta vulnerabilidad solo existe en la bifurcaci\u00f3n OpenResty en el repositorio de GitHub openresty/luajit2. El repositorio LuaJIT/LuaJIT. no se ve afectado."}], "id": "CVE-2024-39702", "lastModified": "2025-09-24T14:20:34.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-23T16:15:05.557", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://openresty.org/en/ann-1025003002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://openresty.org/en/ann-1025003002.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "OpenResty: Hashing function allows HashDoS (Hash Denial of Service) attacks", "id": "2299537", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2299537"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.", "A flaw was found in the OpenResty package. Affected versions of this package are vulnerable to denial of service (DoS) through the string hashing function. This flaw allows an attacker to cause excessive resource usage and potentially lead to a denial of service with relatively few incoming requests."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-39702", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "openresty", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2024-07-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39702\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39702\nhttps://openresty.org/en/ann-1025003002.html"], "statement": "The HashDoS vulnerability in OpenResty\u2019s `lj_str_hash.c` file, while impactful, is classified as a moderate severity issue rather than critical. This classification is due to the nature of the attack vector, which requires crafted input to exploit the hashing function and induce excessive resource usage. The exploitability of this vulnerability depends on the attacker\u2019s ability to generate and send specifically designed requests, which may limit its practical impact compared to vulnerabilities that allow for more straightforward or widespread attacks. Additionally, the effect is confined to resource exhaustion, which, although disruptive, does not directly lead to unauthorized data access or system compromise.", "threat_severity": "Moderate"}

{}