ReDoS Vulnerability in Central Dashboard Component
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the central dashboard component of Kubeflow, affecting the latest version. The vulnerability allows attackers to remotely execute an attack without authentication, causing excessive CPU consumption. There is no fixed version mentioned.
Available publicly on May 31 2024
Threat Overview
The vulnerability stems from an inefficient regular expression used to validate email addresses in the central dashboard's backend. This regex has exponential time complexity, meaning that crafted inputs can cause the application to consume an excessive amount of CPU resources, leading to potential service disruption and downtime. The attack can be executed remotely without any form of authentication, making it particularly dangerous.
Attack Scenario
An attacker clones the Kubeflow repository and sets up the central dashboard component. They then send a specially crafted payload to the API endpoint responsible for adding contributors, where the payload is designed to exploit the inefficient regex. This causes the server to take an inordinate amount of time processing the request, leading to CPU exhaustion.
Who is affected
The vulnerability affects users and administrators of the Kubeflow platform, specifically those utilizing the central dashboard component for managing workgroups and contributors. Attackers can exploit this vulnerability to cause service disruption, affecting the availability of the platform.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.