Lucene search

GoogleOSV:PYSEC-2023-190

HistoryOct 03, 2023 - 5:15 a.m.

PYSEC-2023-190

2023-10-0305:15:00

Google

osv.dev

asyncua package

denial of service

vulnerable software

malformed packet

memory consumption

security vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

46.0%

JSON

Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.

References

gist.github.com/artfire52/1540b234350795e0ecb4d672608dbec8

github.com/FreeOpcUa/opcua-asyncio/commit/f6603daa34a93a658f0e176cb0b9ee5a6643b262

github.com/FreeOpcUa/opcua-asyncio/issues/1013

github.com/FreeOpcUa/opcua-asyncio/pull/1039

github.com/FreeOpcUa/opcua-asyncio/releases/tag/v0.9.96

security.snyk.io/vuln/SNYK-PYTHON-ASYNCUA-5673709

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

46.0%

JSON

Related for OSV:PYSEC-2023-190