Improper handling of Length parameter in erudika/scoold

Valid

Reported on

Apr 24th 2022


Description

There was no restriction on the amount of text that can be inserted into a user's name field. When the text size was large enough the service resulted in a momentary outage in our non-production environment (not high availability). An internal reproduction showed isolated disruption but no outage in our production environment.

Proof of Concept

  1. Login account.
  2. Visit the profile section.
  3. Edit profile & add unlimited random input into the Name field. like [//%3C%3E//http://www.evil.com/projectX.htm] * 10000
  4. Save and you can see the disruption in the PoC video.

PoC

https://drive.google.com/file/d/18DYqGoDOdse6yLPjDb-GoqVSaFgAZkVN/view?usp=sharing

Impact

When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.

We are processing your report and will contact the erudika/scoold team within 24 hours. a month ago
We have contacted a member of the erudika/scoold team and are waiting to hear back a month ago
Alex Bogdanovski validated this vulnerability a month ago
Tarun Garg has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tarun Garg
a month ago

Researcher


@admin @maintainer @ albogdano Thank you for the bounty, Please provide for this vulnerability and Assign a CVE.

Alex Bogdanovski confirmed that a fix has been merged on 62a0e9 a month ago
Alex Bogdanovski has been awarded the fix bounty
ProfileController.java#L243 has been validated
Tarun Garg
a month ago

Researcher


@admin Please assign a CVE for this vulnerability as it is public now.

Jamie Slome
a month ago

Admin


@iamshooter99 - we require the maintainer's permissions before we proceed with a CVE.

@albogdano - are you happy for us to assign and publish a CVE for this report?

Tarun Garg
25 days ago

Researcher


@albogdano @maintainer @admin ?

Jamie Slome
25 days ago

Admin


Sorted 🍰

to join this conversation