Vulnerability Details : CVE-2022-25761
The package open62541/open62541 before 1.2.5, from 1.3-rc1 and before 1.3.1 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
Vulnerability category: Denial of service
Products affected by CVE-2022-25761
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:open62541:open62541:*:*:*:*:*:*:*:*
- cpe:2.3:a:open62541:open62541:1.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:open62541:open62541:1.3:rc2-ef:*:*:*:*:*:*
- cpe:2.3:a:open62541:open62541:1.3:rc2-ef2:*:*:*:*:*:*
- cpe:2.3:a:open62541:open62541:1.3:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-25761
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-25761
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Snyk |
CWE ids for CVE-2022-25761
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-25761
-
https://github.com/open62541/open62541/commit/b79db1ac78146fc06b0b8435773d3967de2d659c
fix(plugin): Add default limits for chunks and message size · open62541/open62541@b79db1a · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNUV4FDVDBQHCPMOOEVKLMQK5SLKPK2L/
[SECURITY] Fedora 37 Update: open62541-1.2.6-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/open62541/open62541/pull/5173
fix(plugin): Add default limits for chunks and message size by jpfr · Pull Request #5173 · open62541/open62541 · GitHubPatch;Third Party Advisory
-
https://github.com/open62541/open62541/releases/tag/v1.2.5
Release v1.2.5 · open62541/open62541 · GitHubRelease Notes;Third Party Advisory
-
https://github.com/open62541/open62541/releases/tag/v1.3.1
Release v1.3.1 · open62541/open62541 · GitHubRelease Notes;Third Party Advisory
-
https://security.snyk.io/vuln/SNYK-UNMANAGED-OPEN62541OPEN62541-2988719
Denial of Service (DoS) in open62541/open62541 | CVE-2022-25761 | SnykPatch;Third Party Advisory
Jump to