{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8768", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-12T21:29:58.462Z", "datePublished": "2024-09-17T16:20:42.399Z", "dateUpdated": "2024-11-07T14:21:28.509Z"}, "containers": {"cna": {"title": "Vllm: a completions api request with an empty prompt will crash the vllm api server.", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhelai1/bootc-nvidia-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhelai1/instructlab-nvidia-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-8768", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311895", "name": "RHBZ#2311895", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/vllm-project/vllm/issues/7632"}, {"url": "https://github.com/vllm-project/vllm/pull/7746"}], "datePublic": "2024-08-22T12:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "Reachable Assertion", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-617: Reachable Assertion", "workarounds": [{"lang": "en", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}], "timeline": [{"lang": "en", "time": "2024-09-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-08-22T12:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-07T14:21:28.509Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-17T18:21:27.413720Z", "id": "CVE-2024-8768", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T18:21:54.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8768", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-17T18:21:27.413720Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-17T18:21:51.376Z"}}], "cna": {"title": "Vllm: a completions api request with an empty prompt will crash the vllm api server.", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "packageName": "rhelai1/bootc-nvidia-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "packageName": "rhelai1/instructlab-nvidia-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-09-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-08-22T12:00:00+00:00", "value": "Made public."}], "datePublic": "2024-08-22T12:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-8768", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311895", "name": "RHBZ#2311895", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/vllm-project/vllm/issues/7632"}, {"url": "https://github.com/vllm-project/vllm/pull/7746"}], "workarounds": [{"lang": "en", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "Reachable Assertion"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-07T14:21:28.509Z"}, "x_redhatCweChain": "CWE-617: Reachable Assertion"}}, "cveMetadata": {"cveId": "CVE-2024-8768", "state": "PUBLISHED", "dateUpdated": "2024-11-07T14:21:28.509Z", "dateReserved": "2024-09-12T21:29:58.462Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-17T16:20:42.399Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la librer\u00eda vLLM. Una solicitud de API de finalizaci\u00f3n con un mensaje vac\u00edo bloquear\u00e1 el servidor de API de vLLM, lo que provocar\u00e1 una denegaci\u00f3n de servicio."}], "id": "CVE-2024-8768", "lastModified": "2024-09-20T12:30:51.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-17T17:15:11.100", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-8768"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311895"}, {"source": "secalert@redhat.com", "url": "https://github.com/vllm-project/vllm/issues/7632"}, {"source": "secalert@redhat.com", "url": "https://github.com/vllm-project/vllm/pull/7746"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"bugzilla": {"description": "vllm: A completions API request with an empty prompt will crash the vllm API server.", "id": "2311895", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311895"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-617", "details": ["A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service.", "A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-8768", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Will not fix", "package_name": "rhelai1/instructlab-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2024-08-22T12:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8768\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8768\nhttps://github.com/vllm-project/vllm/issues/7632\nhttps://github.com/vllm-project/vllm/pull/7746"], "statement": "This vulnerability can only be exploited when vLLM is serving GPT-2 models, other models are not affected by this issue.\nAs this flaw allows remote users to cause a denial of service, it has been rated with an important severity.", "threat_severity": "Important"}