Pimcore Thumbnails: Large File Generation Flooding (fixed in 11.2.4)
CVE-2024-32871 Published on June 4, 2024
Pimcore Vulnerable to Flooding Server with Thumbnail files
Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4.
Vulnerability Analysis
CVE-2024-32871 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2024-32871
Want to know whenever a new CVE is published for Pimcore? stack.watch will email you.
Affected Versions
pimcore:- Version >= 11.0.0, < 11.2.4 is affected.
- Version 11.0.0, <= 11.2.4 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-32871
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | pimcore/pimcore | >= 11.0.0, < 11.2.4 | 11.2.4 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.