← Volver a CVEs
CVE-2026-28342
HIGH7.5
Descripcion
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.2, the PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS). The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits. This issue has been patched in version 3000.10.2.
Detalles CVE
Puntuacion CVSS v3.17.5
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/5/2026
Ultima modificacion3/10/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
olivetin:olivetin
Debilidades (CWE)
CWE-400CWE-770
Referencias
https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90(security-advisories@github.com)
https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2(security-advisories@github.com)
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp(security-advisories@github.com)
https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.