CVE-2024-36416
Published: 10 June 2024
Summary
CVE-2024-36416 is a high-severity Logging of Excessive Data (CWE-779) vulnerability in Salesagility Suitecrm. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
SuiteCRM, an open-source customer relationship management application, contains a denial-of-service vulnerability in a deprecated v4 API example that lacks log rotation. The flaw, present in versions prior to 7.14.4 and 8.6.1, permits excessive data to be written to logs, resulting in resource exhaustion. The issue is tracked as CVE-2024-36416 with a CVSS 3.1 score of 8.6 and is associated with CWE-779.
An unauthenticated attacker with network access can trigger the vulnerability by sending crafted requests to the affected API endpoint, causing unbounded log growth that leads to service disruption. No user interaction or credentials are required, and the attack impacts availability while leaving confidentiality and integrity intact.
Official advisories from the SuiteCRM project and the corresponding GitHub security advisory recommend immediate upgrade to versions 7.14.4 or 8.6.1, which contain the fix. Public references also include release notes and a proof-of-concept repository that illustrate the logging behavior.
The EPSS score for this CVE stands at 0.4470 with no material increase from a lower baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36073
Vulnerability details
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix…
more
for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Audit record reduction explicitly manages excessive log volumes for review and reporting while preserving original content and ordering, reducing the impact of logging excessive data.