Lucene search

GitHub Advisory DatabaseGHSA-HGP8-W8FJ-R4CM

HistoryNov 22, 2022 - 3:30 a.m.

ToolJet is vulnerable to Denial of Service (DoS)

2022-11-2203:30:56

CWE-400

CWE-1284

GitHub Advisory Database

github.com

tooljet

user avatars

denial of service

vulnerability

fixed version

npm package.

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

32.1%

JSON

ToolJet/ToolJet placed no limit on the file size for user avatars. This could cause a denial of service if too many users upload large files. This is fixed in commit 01cd3f0464747973ec329e9fb1ea12743d3235cc in version 1.27.0.

tooljet is no longer listed on npmjs.com but was listed on npmjs.com in the past. This advisory is maintained for historical completeness.

Affected configurations

Vulners

Node

tooljettooljetRange<1.27.0

CPENameOperatorVersion
tooljetlt1.27.0

CPE	Name	Operator	Version
	tooljet	lt	1.27.0

References

github.com/advisories/GHSA-hgp8-w8fj-r4cm

github.com/tooljet/tooljet/commit/01cd3f0464747973ec329e9fb1ea12743d3235cc

github.com/ToolJet/ToolJet/pull/4103

huntr.dev/bounties/5596d072-66d2-4361-8cac-101c9c781c3d

nvd.nist.gov/vuln/detail/CVE-2022-4111

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

32.1%

JSON

Related for GHSA-HGP8-W8FJ-R4CM