Denial of Service via Self-Referencing Tracking Server
Available publicly on Jul 08 2024
Threat Overview
The vulnerability arises when the tracking server is configured to point at itself as a remote repository. This causes the server to enter an infinite loop of self-connections, rendering it unable to handle any other requests. The root cause is the lack of validation to prevent the server from referencing itself. This results in uncontrolled resource consumption and a complete denial of service.
Attack Scenario
An attacker initializes a repository and starts the tracking server. They then create a handler reference to a new repository and configure it to point back at the tracking server itself. This causes the server to enter an infinite loop of self-connections. Any subsequent requests to the server will fail as it becomes unresponsive.
Who is affected
Users running version 3.19.3 of the software who expose their tracking server to remote connections are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.