CVE-2024-5011: 
WhatsUp Gold vulnerability analysis and mitigation

In WhatsUp Gold versions released before 2023.1.3, an uncontrolled resource consumption vulnerability was identified (CVE-2024-5011). The vulnerability was discovered by Marcin 'Icewall' Noga of Cisco Talos and allows unauthenticated HTTP requests to the TestController Chart functionality, potentially leading to denial of service (Talos Intelligence, Progress Community).

The vulnerability exists in the TestController Chart functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. The issue stems from the CreateChart function where an attacker has complete control over the 'pieces' argument, which controls the number of executions in a for loop. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified as CWE-400 (Uncontrolled Resource Consumption) (Talos Intelligence).

When exploited, this vulnerability can lead to significant CPU resource consumption for extended periods. By setting the 'pieces' value to a high number (e.g., 100000) and repeating such requests, an attacker with limited resources can completely block the system's functionality, resulting in denial of service (Talos Intelligence).

Progress Software Corporation has addressed this vulnerability in WhatsUp Gold version 2023.1.3. Users are advised to upgrade to this version or later to mitigate the risk (Progress Community).