CVE-2023-38505— DietPi-Dashboard 安全漏洞

DietPi-Dashboard Insufficient TLS Handshake Pool

DietPi-Dashboard is a web dashboard for the operating system DietPi. The dashboard only allows for one TLS handshake to be in process at a given moment. Once a TCP connection is established in HTTPS mode, it will assume that it should be waiting for a handshake, and will stay this way indefinitely until a handshake starts or some error occurs. In version 0.6.1, this can be exploited by simply not starting the handshake, preventing any other TLS handshakes from getting through. An attacker can lock the dashboard in a state where it is waiting for a TLS handshake from the attacker, who won't provide it. This prevents any legitimate traffic from getting to the dashboard, and can last indefinitely. Version 0.6.2 has a patch for this issue. As a workaround, do not use HTTPS mode on the open internet where anyone can connect. Instead, put a reverse proxy in front of the dashboard, and have it handle any HTTPS connections.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

不充分的资源池

DietPi-Dashboard 安全漏洞

DietPi-Dashboard是 DietPi 操作系统的一个组件，提供一个基于 Web 的用户界面，用于管理和监控安装了 DietPi 的设备。 DietPi-Dashboard 存在安全漏洞，该漏洞源于Dashboard仅允许在给定时刻进行一次 TLS 握手，一旦在 HTTPS 模式下建立了 TCP 连接，它将等待握手，并且将无限期地保持这种状态，直到握手开始或发生某些错误。

N/A

N/A