#dos

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could send a specially crafted request to a vulnerable LDAP server. Successful exploitation could result in bypassing a buffer length check which could be leveraged to achieve information leak.

The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in `mem.rs`. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.

workers/extractor.py in Pandora (aka pandora-analysis/pandora) 1.3.0 allows a denial of service when an attacker submits a deeply nested ZIP archive (aka ZIP bomb).

The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denial of service via a large file that triggers an integer overflow in mem.rs. NOTE: this is unrelated to the https://crates.io/crates/bzip2-rs product.

### Impact Due to a workaround for an old client bug (which has since been fixed), very large JSON payloads in `ModalFormResponsePacket` were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets were able to hog CPU time so as to prevent the server from processing other connections in a timely manner. ### Patches The problem has been addressed in 3baa5ab71214f96e6e7ab12cb9beef08118473b5 by removing the workaround code. ### Workarounds Plugins could cancel `DataPacketReceiveEvent` for this packet, decode the data their way, and then call `Player->onFormSubmit()` directly, bypassing the vulnerable code.

### Impact Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. ### Patches This was patched in https://github.com/mercurius-js/mercurius/pull/940. ### Workarounds Disable subscriptions. ### References Reported publicly as https://github.com/mercurius-js/mercurius/issues/939. The same problem was solved in https://github.com/fastify/fastify-websocket/pull/228

The Serbian government reports that it staved off five attacks aimed at crippling Serbian infrastructure.

### Impact Due to a vulnerability in `jackson-databind <= 2.12.6.0`, an authenticated attacker could craft an Apiman policy configuration which, when saved, may cause a denial of service on the Apiman Manager API. This does **not** affect the Apiman Gateway. ### Patches Upgrade to Apiman 3.0.0.Final or later. If you are using an older version of Apiman and need to remain on that version, contact your Apiman [support provider](https://www.apiman.io/support.html) for advice/long-term support. ### Workarounds If all users of the Apiman Manager are trusted then you may assess this is low risk, as an account is required to exploit the vulnerability. ### References * Apiman maintainer and security contact: [email protected] * https://nvd.nist.gov/vuln/detail/CVE-2020-36518 * https://github.com/FasterXML/jackson-databind/issues/2816

The JsonWebToken package plays a big role in the authentication and authorization functionality for many applications.