Unauthenticated DoS via Multipart Boundary
The vulnerability in version 1.10.0 allows unauthenticated attackers to cause a denial of service by sending malformed multipart requests with excessive characters appended to the boundary. This issue was patched in a later version.
Available publicly on Dec 30 2024
Threat Overview
The vulnerability arises from the server's inability to handle excessive characters appended to multipart boundaries. This flaw can be exploited by sending malformed multipart requests, causing the server to enter an infinite loop and consume excessive resources. The attack does not require authentication, making it easy for attackers to exploit and cause a complete denial of service (DoS) for all users.
Attack Scenario
An attacker sends a specially crafted multipart request to the server with an excessive number of characters appended to the boundary. The server processes each extra character in an infinite loop, leading to resource exhaustion and making the service unresponsive to legitimate users.
Who is affected
All users of version 1.10.0 of the software are affected by this vulnerability. This includes both administrators and end-users who rely on the service for legitimate purposes.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.