Denial of Service in cortezaproject/corteza-server

Valid

Reported on

Aug 8th 2021

You can put a very long login email text until you get the last user to put and aries or [DoS].

Normally emails have 64 to 225 digits.

Summary There is no limit to the number of characters in the login email, which allows a DoS attack. The DoS attack affects both server-side and client-side.

NOTE: This bug happens on https://latest.cortezaproject.org/auth/login By sending a very long text (1.000.000 characters) When a long email is sent, the email process will result in CPU and memory exhaustion.

Remediation: The note implementation must be fixed to limit the maximum length of accepted characters.

Step to reproduce:

Put your long payload in a login email

Impact: it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive.

Verify it and set a fair reward for reporting security vulnerability in a responsible manner.

We have contacted a member of the cortezaproject/corteza-server team and are waiting to hear back 2 years ago
Owais Siddiqui
2 years ago

Researcher

Any progress regarding my vulnerability report?

Owais Siddiqui
2 years ago

Researcher

?

Tomaž Jerman
2 years ago

Maintainer

Thank you for reporting. I'll get one of our guys to validate this and propose a fix.

Tomaž Jerman
2 years ago

Maintainer

Thanks for the report; we will be addressing this in the near future.

Tomaž Jerman validated this vulnerability 2 years ago
Owais Siddiqui has been awarded the disclosure bounty
The fix bounty is now up for grabs
Denis Arh marked this as fixed in 2021.9.x with commit 72c93c a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation