Lucene search

GitHub Advisory DatabaseGHSA-XHW9-4WQQ-X67V

HistorySep 27, 2022 - 12:00 a.m.

rdiffweb vulnerable to potential DoS via memory consumption

2022-09-2700:00:16

CWE-770

GitHub Advisory Database

github.com

rdiffweb

vulnerability

dos

memory consumption

patch

ssh key

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

37.9%

JSON

rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length “title” field when adding an SSH key.
This can result in excess memory consumption, leading to a Denial of Service (DoS). This issue is patched in version 2.4.8. There are no known workarounds.

Affected configurations

Vulners

Node

rdiffwebrdiffwebRange<2.4.8

VendorProductVersionCPE
rdiffwebrdiffweb*cpe:2.3:a:rdiffweb:rdiffweb:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rdiffweb	rdiffweb	*	cpe:2.3:a:rdiffweb:rdiffweb::::::::

References

github.com/advisories/GHSA-xhw9-4wqq-x67v

github.com/ikus060/rdiffweb/commit/626cca1b75b6c587afd4241a9692e8929b1921a5

github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-294.yaml

huntr.dev/bounties/f9fedf94-41c9-49c4-8552-e407123a44e7

nvd.nist.gov/vuln/detail/CVE-2022-3298

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

37.9%

JSON

Related for GHSA-XHW9-4WQQ-X67V