Lucene search

GitHub Advisory DatabaseGHSA-GFVQ-MXW3-MFQ3

HistoryOct 03, 2023 - 6:30 a.m.

asyncua vulnerable to denial of service via infinite loop

2023-10-0306:30:26

CWE-835

GitHub Advisory Database

github.com

dos

asyncua

infinite loop

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.0%

JSON

Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.

Affected configurations

Vulners

Node

asyncua_projectasyncuaRange<0.9.96python

VendorProductVersionCPE
asyncua_projectasyncua*cpe:2.3:a:asyncua_project:asyncua:*:*:*:*:*:python:*:*

Vendor	Product	Version	CPE
asyncua_project	asyncua	*	cpe:2.3:a:asyncua_project:asyncua::::::python::*

References

gist.github.com/artfire52/1540b234350795e0ecb4d672608dbec8

github.com/advisories/GHSA-gfvq-mxw3-mfq3

github.com/FreeOpcUa/opcua-asyncio/commit/f6603daa34a93a658f0e176cb0b9ee5a6643b262

github.com/FreeOpcUa/opcua-asyncio/issues/1013

github.com/FreeOpcUa/opcua-asyncio/pull/1039

github.com/FreeOpcUa/opcua-asyncio/releases/tag/v0.9.96

github.com/pypa/advisory-database/tree/main/vulns/asyncua/PYSEC-2023-190.yaml

nvd.nist.gov/vuln/detail/CVE-2023-26151

security.snyk.io/vuln/SNYK-PYTHON-ASYNCUA-5673709

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

46.0%

JSON

Related for GHSA-GFVQ-MXW3-MFQ3