SCA: security update for litestar (GHSA-gjcc-jvgw-wvwj)

high Tenable Cloud Security Plugin ID 415170

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 2.13.0, the
multipart form parser shipped with litestar expects the entire request body as a single byte string and
there is no default limit for the total size of the request body. This allows an attacker to upload
arbitrary large files wrapped in a `multipart/form-data` request and cause excessive memory consumption on
the server. The multipart form parser in affected versions is vulnerable to this type of attack by design.
The public method signature as well as its implementation both expect the entire request body to be
available as a single byte string. It is not possible to accept large file uploads in a safe way using
this parser. This may be a regression, as a variation of this issue was already reported in
CVE-2023-25578. Limiting the part number is not sufficient to prevent out-of-memory errors on the server.
A patch is available in version 2.13.0. (CVE-2024-52581)

See Also

https://github.com/advisories/GHSA-gjcc-jvgw-wvwj

Plugin Details

Severity: High

ID: 415170

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2024-52581

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/20/2024

Vulnerability Publication Date: 11/20/2024

Reference Information

CVE: CVE-2024-52581

cwe: CWE-770