CVE-2023-29499
CVE Details
Visit the official vulnerability details page for CVE-2023-29499 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
glib2
NIST CVE Summary
A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.
CVE Severity
Our Official Summary
This vulnerability enables a denial of service attack to be performed against applications that process untrusted GVariant input, compromising application availability by consuming excessive processing time or utilizing a large quantity of memory. Because the most widely available attack vector is local and the consequences are limited to denial of service.
The images where this vulnrability is have controls in place are not accessible outside the cluster. So the attacker needs to gain privileged access to the cluster to attempt this exploit. Also the containers do not allow execution of arbitrary code. Impact of this exploit is also low, since container reduces the attack surface.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.11 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.10 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.8 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.5 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.4 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.4.20 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 12/09/2024 | Official summary revised: This vulnerability enables a denial of service attack to be performed against applications that process untrusted GVariant input, compromising application availability by consuming excessive processing time or utilizing a large quantity of memory. Because the most widely available attack vector is local and the consequences are limited to denial of service.The images where this vulnrability is have controls in place are not accessible outside the cluster. So the attacker needs to gain privileged access to the cluster to attempt this exploit. Also the containers do not allow execution of arbitrary code. Impact of this exploit is also low, since container reduces the attack surface. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/14/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |