CVE-2024-2689

Source
https://cve.org/CVERecord?id=CVE-2024-2689
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2689.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-2689
Aliases
Published
2024-04-03T21:13:31.599Z
Modified
2026-07-15T01:48:58.616023349Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service if invalid UTF-8 sent
Details

Denial of Service in Temporal Server prior to version 1.20.5, 1.21.6, and 1.22.7 allows an authenticated user who has permissions to interact with workflows and has crafted an invalid UTF-8 string for submission to potentially cause a crashloop. If left unchecked, the task containing the invalid UTF-8 will become stuck in the queue, causing an increase in queue lag. Eventually, all processes handling these queues will become stuck and the system will run out of resources. The workflow ID of the failing task will be visible in the logs, and can be used to remove that workflow as a mitigation. Version 1.23 is not impacted. In this context, a user is an operator of Temporal Server.

Database specific
{
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/2xxx/CVE-2024-2689.json",
    "cna_assigner": "Temporal"
}
References

Affected packages

Git / github.com/temporalio/temporal

Affected ranges

Type
GIT
Repo
https://github.com/temporalio/temporal
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.20.5"
        },
        {
            "introduced": "1.21.0"
        },
        {
            "fixed": "1.21.6"
        },
        {
            "introduced": "1.22.0"
        },
        {
            "fixed": "1.22.7"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

Other
dummy-tag
v.*
v.0.29.0
v0.*
v0.1.0-beta
v0.1.1-beta
v0.10.0
v0.2.0
v0.20.0
v0.21.0
v0.21.1
v0.23.0
v0.23.1
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.3.0
v0.3.1
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.30.0
v0.31.0
v0.4.0
v0.5.3
v0.5.4
v0.5.5
v0.8.0
v0.8.1
v1.*
v1.0.0
v1.0.0-rc1
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.15.0
v1.16.0
v1.18.0
v1.20.0
v1.20.1
v1.20.2
v1.20.3
v1.20.4
v1.21.0
v1.21.1
v1.21.2
v1.21.3
v1.21.4
v1.21.5
v1.21.5-rc1
v1.21.5-rc2
v1.21.5-rc3
v1.22.0
v1.22.1
v1.22.1-rc1
v1.22.2
v1.22.2-rc1
v1.22.2-rc2
v1.22.2-rc3
v1.22.3
v1.22.3-rc1
v1.22.3-rc2
v1.22.3-rc3
v1.22.4
v1.22.5
v1.22.5-rc1
v1.22.5-rc2
v1.22.6
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2689.json"