GHSA-5v95-j4rr-6f3c
- Source
- https://github.com/advisories/GHSA-5v95-j4rr-6f3c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-5v95-j4rr-6f3c/GHSA-5v95-j4rr-6f3c.json
- Aliases
- Published
- 2022-09-27T00:00:17Z
- Modified
- 2023-11-08T04:09:37.887450Z
- Details
-
rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length "username" field. This can result in excess memory consumption, or memory corruption, leading to a Denial of Service (DoS). This issue is patched in version 2.4.8. There are no known workarounds.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-3290
- https://github.com/ikus060/rdiffweb/commit/667657c6fe2b336c90be37f37fb92f65df4feee3
- https://github.com/ikus060/rdiffweb
- https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-292.yaml
- https://huntr.dev/bounties/d8b8519d-96a5-484c-8141-624c54290bf5
Affected packages
PyPI / rdiffweb
Package
- Name
- rdiffweb
Affected versions
0.*
0.9.2.dev1
0.9.3
0.9.4
0.9.5
0.10.0
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
1.*
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1b1
1.3.1b2
1.3.1
1.3.2
1.4.0b1
1.4.0b2
1.4.0b3
1.4.0b4
1.4.0b5
1.4.0
1.4.1b1
1.4.1b2
1.4.1b3
1.5.0
1.5.1b1
1.5.1b2
1.6.0b1
2.*
2.0.1b2
2.0.1b3
2.0.2
2.0.3a1
2.0.3a2
2.0.3a3
2.0.3a4
2.0.3a5
2.0.3a6
2.0.3a7
2.1.0
2.2.0.dev1
2.2.0a1
2.2.0a2
2.2.0a3
2.2.0a4
2.2.0a5
2.2.0a6
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7