CVE-2022-25761

EPSS 0.14%
Published 23.08.2022 05:15:08
Last modified 21.11.2024 06:52:57
Source report@snyk.io
CVE-Watchlists
Login
Open
Login

The package open62541/open62541 before 1.2.5, from 1.3-rc1 and before 1.3.1 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.

Affected products Warnungen 0 Metrics 3 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Open62541 ≫ Open62541 Version < 1.2.5

Open62541 ≫ Open62541 Version1.3 Updaterc1

Open62541 ≫ Open62541 Version1.3 Updaterc2

Open62541 ≫ Open62541 Version1.3 Updaterc2-ef

Open62541 ≫ Open62541 Version1.3 Updaterc2-ef2

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.348

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/open62541/open62541/commit/b79db1ac78146fc06b0b8435773d3967de2d659c

Patch

Third Party Advisory

https://github.com/open62541/open62541/pull/5173

Patch

Third Party Advisory

https://github.com/open62541/open62541/releases/tag/v1.2.5

Third Party Advisory

Release Notes

https://github.com/open62541/open62541/releases/tag/v1.3.1

Third Party Advisory

Release Notes