Lack of Character Limit in Notes Sections Leads to Denial of Service in inventree/inventree
Jun 19th 2022
The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increased processor usage for the victim. The tester tested against the Stock Parts and Parts notes sections. Tester assumes that other objects in the application that have notes available would also be vulnerable, however did not test it due to consumption of local resources.
Tester was able to add in excess of one hundred million (100,000,000) characters or more with the included PoC during testing.
Proof of Concept
Should a user visit one of the exploited parts, the vulnerable page will not load appropriately. The victim may see their computer become unresponsive as the processor works to process the amount of data being served by the vulnerable notes section.
Apply a consistent character limit across the application where user input can be added to notes sections.
Thanks for the report Joe, we will look into this one ASAP.
Please let me know if you need anything from me. Thanks!
@admin @maintainer can we have a CVE for this one?