GoogleOSV:GHSA-GFVQ-MXW3-MFQ3asyncua vulnerable to denial of service via infinite loop
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
46.0%
Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.
References
gist.github.com/artfire52/1540b234350795e0ecb4d672608dbec8
github.com/FreeOpcUa/opcua-asyncio
github.com/FreeOpcUa/opcua-asyncio/commit/f6603daa34a93a658f0e176cb0b9ee5a6643b262
github.com/FreeOpcUa/opcua-asyncio/issues/1013
github.com/FreeOpcUa/opcua-asyncio/pull/1039
github.com/FreeOpcUa/opcua-asyncio/releases/tag/v0.9.96
github.com/pypa/advisory-database/tree/main/vulns/asyncua/PYSEC-2023-190.yaml
nvd.nist.gov/vuln/detail/CVE-2023-26151
security.snyk.io/vuln/SNYK-PYTHON-ASYNCUA-5673709
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
46.0%