Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrZiddiqui42671C5E75-833E-4C5D-A7D1-FF013BEE08E9
HistoryAug 08, 2021 - 3:28 a.m.

Denial of Service in cortezaproject/corteza-server

2021-08-0803:28:00
ziddiqui42
www.huntr.dev
6
JSON

You can put a very long login email text until you get the last user to put and aries or [DoS].

Normally emails have 64 to 225 digits.

Summary There is no limit to the number of characters in the login email, which allows a DoS attack. The DoS attack affects both server-side and client-side.

NOTE: This bug happens on https://latest.cortezaproject.org/auth/login By sending a very long text (1.000.000 characters) When a long email is sent, the email process will result in CPU and memory exhaustion.

Remediation: The note implementation must be fixed to limit the maximum length of accepted characters.

Step to reproduce:

Put your long payload in a login email

Impact: it’s possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive.

Verify it and set a fair reward for reporting security vulnerability in a responsible manner.

JSON