Fluid Attacks Database

Description

rdiffweb's unlimited length Fullname field can lead to DoS rdiffweb prior to 2.5.0a3 does not validate email length, allowing users to insert an email longer than 255 characters. If a user signs up with an email with a length of 1 million or more characters and logs in, withdraws, or changes their email, the server may cause denial of service due to overload.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	rdiffweb	>=0 <2.5.0a3	2.5.0a3

Aliases

1. CVE-2022-33642. NVD-2022-33643. OSV-2022-33644. GCVE-2022-3364

References

1. https://github.com/ikus060/rdiffweb/commit/b62c479ff6979563c7c23e7182942bc4f460a2c72. https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-298.yaml3. https://huntr.dev/bounties/e70ad507-1424-463b-bdf1-c4a6fbe6e720

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.