漏洞关键信息 漏洞名称: Denial-of-Service via Improper Exception Handling CVE ID: CVE-2024-31217 CVE Base Metrics: Severity: Moderate (5.3/10) Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High Affected Package: @strapi/plugin-upload (npm) Affected Versions: <=4.21.0 Patched Versions: 4.22.0 Description: Summary: - A Denial-of-Service vulnerability was found in the media upload process, causing the server to crash without restarting. Details: - Errors in the application cause it to log the error and crash, stopping the server execution. PoC: - The vulnerability is exploited by manipulating the file extension in the header using Burp Suite. - Adding at the end of the file extension leads to an invalid argument value error, causing the server to crash. Impact: - Denial-of-Service occurs when the server becomes unavailable for users or other services. - The server crashes due to the thrown error, causing a full system crash instead of returning a 500 error. - Any user with access to the file upload functionality can exploit this vulnerability. Reference Log: The error message is "ERR_INVALID_ARG_VALUE", indicating an invalid path argument.