CVE-2022-4723 : Allocation of Resources Without Limits or Throttling in GitHub repository ikus06

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5.

Published 2022-12-27 15:15:12

Updated 2023-01-05 14:37:28

Source huntr.dev

View at NVD, CVE.org

Products affected by CVE-2022-4723

Ikus-soft » Rdiffweb
Versions before (<) 2.5.5
cpe:2.3:a:ikus-soft:rdiffweb:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 39 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.3	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H	0.8	5.5	huntr.dev
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: High Availability: High
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: security@huntr.dev (Primary)

https://huntr.dev/bounties/9369681b-8bfc-4146-a54c-c5108442d92c

No rate limit on "resend email feature" while enable or disable 2FA from /prefs/mfa endpoint vulnerability found in rdiffweb
Exploit;Patch;Third Party Advisory
https://github.com/ikus060/rdiffweb/commit/6e9ee210548f6d3210704cac302cfc7cdb239765

Ratelimit "Resend code to my email" in Two-Factor Authentication view · ikus060/rdiffweb@6e9ee21 · GitHub
Patch;Third Party Advisory

Jump to