CVE-2024-39702

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-39702

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39702.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-39702

Published

2024-07-23T16:15:05.557Z

Modified

2026-04-10T05:15:54.778439Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In ljstrhash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.

References

https://openresty.org/en/ann-1025003002.html

Affected packages

Git / github.com/openresty/openresty

Affected ranges

Type

GIT

Repo

https://github.com/openresty/openresty

Events

Introduced

de3e659ef52237491babf62e784f322b146fdb1a

Fixed

4e6d537af50e51b5b73f81a22b3a47b6531bb631

Introduced

37fe0d43147d6d47fb0e03dbdf38b866970e6d31

Fixed

78f3b2d44456c881c650e0740ec7dec608781236

Introduced

Last affected

8978f0426f13631d95806ba4de3d86a04462a8ea

Database specific

{
    "versions": [
        {
            "introduced": "1.19.3.1"
        },
        {
            "fixed": "1.19.9.2"
        },
        {
            "introduced": "1.21.4.1"
        },
        {
            "fixed": "1.21.4.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.25.3.1"
        }
    ]
}

Affected versions

v1.*

v1.19.3.1

v1.19.9.1

v1.19.9.1rc1

v1.21.4.1

v1.21.4.2

v1.21.4.2rc1

v1.21.4.3

v1.25.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39702.json"