[Java]: DOS through Decompression
am0o0 opened this issue · 5 comments
Query PR
Language
Java
CVE(s) ID list
- CVE-2022-4565
- CVE-2023-3398 related to Apache Commons upload as a remote flow source
- many file upload-related vulnerabilities related to file upload remote sources especially in Jenkin like this one which is found by GitHub security lab, I'll try to collect them all if it is important to mention to all of them, please let me know if is not necessarily.
CWE
No response
Report
Extracting Compressed files with any compression algorithm like gzip can cause denial of service attacks. Attackers can compress a huge file created by repeated similar bytes and convert it to a small compressed file.
Added modeling for multiple CLI third parties.
I found some CVEs that contain Remote Flow sources of Apache Commons upload and Servlet Multipart which a really valuable Remote Flow sources and exist in many popular open-source repositories. Because this query contains file upload I needed to add these Flow Sources within this pull request.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
- Yes
- No
Blog post link
No response
hi @am0o0 the query DecompressionBomb.ql does not find any findings in the database "DB_CVE-2022-4565.zip". Please let me know if you can get it working.
Your submission is now in status Test run.
For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Results analysis.
For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Your submission is now in status Query review.
For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Created Hackerone report 2636036 for bounty 603861 : [774] [Java]: DOS through Decompression