High

aim

Denial of Service via Self-Referencing Tracking Server

A denial of service vulnerability in version 3.19.3 of the software allows an attacker to point the tracking server at itself, causing it to endlessly connect to itself and become unresponsive. This issue has not yet been patched.

Available publicly on Jul 08 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

patrik-ha
Threat Overview

The vulnerability arises when the tracking server is configured to point at itself as a remote repository. This causes the server to enter an infinite loop of self-connections, rendering it unable to handle any other requests. The root cause is the lack of validation to prevent the server from referencing itself. This results in uncontrolled resource consumption and a complete denial of service.

Attack Scenario

An attacker initializes a repository and starts the tracking server. They then create a handler reference to a new repository and configure it to point back at the tracking server itself. This causes the server to enter an infinite loop of self-connections. Any subsequent requests to the server will fail as it becomes unresponsive.

Who is affected

Users running version 3.19.3 of the software who expose their tracking server to remote connections are affected by this vulnerability.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.