CVE-2022-1728: Allowing long password leads to denial of service in polonel/trudesk in trudesk

Description The trudesk application allows to sending a very long password (10000000 characters) it’s possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

Proof of Concept

1.Go to https://docker.trudesk.io/profile paste the payload in Password parameter

2.Copy the payload from this link:- https://drive.google.com/file/d/1E3iqSQE4-t4dXpWQrDPHY7OcspHxYvYE/view?usp=sharing and paste on Password parameter

3.You will see that the application allows long password this can leads to Dos and can exploit as DDos

Video POC :- https://drive.google.com/file/d/1d_QV79hBqGN6GHSt5VLiranA6hO2q2W_/view?usp=sharing****Impact

This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.