Fluid Attacks Database

Description

rdiffweb allows unlimited length of root directory name, which could result in DoS rdiffweb prior to 2.4.8 has no limit in length of root directory names. Allowing users to enter long strings may result in a DOS attack or memory corruption. Version 2.4.8 defines a field limit for username, email, and root directory.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	rdiffweb	>=0 <2.4.8	2.4.8

Aliases

1. CVE-2022-32952. NVD-2022-32953. OSV-2022-32954. GCVE-2022-3295

References

1. https://github.com/ikus060/rdiffweb/commit/667657c6fe2b336c90be37f37fb92f65df4feee32. https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-293.yaml3. https://huntr.dev/bounties/202dd03a-3d97-4c64-bc73-1a0f36614233

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.