CVE-2022-3295 – rdiffweb

Package

Manager: pip
Name: rdiffweb
Vulnerable Version: >=0 <2.4.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00055 pctl0.17153

Details

rdiffweb allows unlimited length of root directory name, which could result in DoS rdiffweb prior to 2.4.8 has no limit in length of root directory names. Allowing users to enter long strings may result in a DOS attack or memory corruption. Version 2.4.8 defines a field limit for username, email, and root directory.

Metadata

Created: 2022-09-27T00:00:22Z
Modified: 2024-10-25T21:29:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hrj7-f62f-j7x7/GHSA-hrj7-f62f-j7x7.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-hrj7-f62f-j7x7
Finding: F029
Auto approve: 1