logo

Database

Lack of data validation In rdiffweb

Description

rdiffweb's unlimited length email field can lead to DoS rdiffweb prior to 2.4.8 does not validate email length, allowing users to insert an email longer than 255 characters. If a user signs up with an email with a length of 1 million or more characters and logs in, withdraws, or changes their email, the server may cause denial of service due to overload. Version 2.4.8 sets length limits for username, email, and root directory.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-32722. NVD-2022-32723. OSV-2022-32724. GCVE-2022-3272

References

1. https://github.com/ikus060/rdiffweb/commit/667657c6fe2b336c90be37f37fb92f65df4feee32. https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-291.yaml3. https://huntr.com/bounties/733678b9-daa1-4d6a-875a-382fa09a6e38

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.