Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrNehalr777D8B8519D-96A5-484C-8141-624C54290BF5
HistorySep 23, 2022 - 10:30 a.m.

No Limit in length of username , results in memory consumption/DOS attack

2022-09-2310:30:42
nehalr777
www.huntr.dev
10
username length limit
memory consumption
dos attack
bugbounty

EPSS

0.001

Percentile

37.9%

JSON

Description

There must be a fixed length for user input parameters like username. Allowing users to enter long strings may result in a DOS attack or memory corruption

Proof of Concept

1)Go to https://rdiffweb-demo.ikus-soft.com/admin/users endpoint .
2)Click on add user
3)Here you will see that there is no limit for the username length that allows a user to to set a very long string as long as 1 million characters
4)This may possible result in a memory corruption/DOS attack

Mitigation: There must be a fixed length for the username - upto 256 characters

Related

osv 3
prion 1
github 1
veracode 1
cvelist 1
cve 1
cnvd 1
nvd 1
osv
osv
CVE-2022-3290
2022-09-26 19:15:11
rdiffweb's unlimited username field length can lead to DoS
2022-09-27 00:00:17
PYSEC-2022-292
2022-09-26 19:15:00
prion
prion
Input validation
2022-09-26 19:15:00
github
github
rdiffweb's unlimited username field length can lead to DoS
2022-09-27 00:00:17
veracode
veracode
Denial Of Service (DoS)
2022-09-26 06:51:46
cvelist
cvelist
CVE-2022-3290 Improper Handling of Length Parameter Inconsistency in ikus060/rdiffweb
2022-09-26 19:00:14
cve
cve
CVE-2022-3290
2022-09-26 19:15:11
cnvd
cnvd
Rdiffweb Username Denial of Service Vulnerability
2022-09-28 00:00:00
nvd
nvd
CVE-2022-3290
2022-09-26 19:15:11

EPSS

0.001

Percentile

37.9%

JSON
Related for D8B8519D-96A5-484C-8141-624C54290BF5
osv3prion1github1veracode1cvelist1cve1cnvd1nvd1