[C#]: DOS through Decompression

Question

[C#]: DOS through Decompression

am0o0 opened this issue a year ago · 5 comments

am0o0 commented a year ago

Query PR

github/codeql#13558

Language

C#

CVE(s) ID list

no CVE yet and definitely a CVE will be published soon.

CWE

No response

Report

Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks. Attackers can compress a huge file which created by repeated similar byte and convert it to a small compressed file.
Added modeling for multiple CLI third parties.
In this pull request I've also added some valuable remote flow sources which I thought it is related to my query because mostly it need a file upload from Forms as a User Remote Source.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes
No

Blog post link

No response

Answer 1 · 2024-05-24T05:18:41.000Z

@am0o0 how goes finding the CVE for this? If you do, please include the database as well

Answer 2 · 2024-05-24T06:09:58.000Z

@Kwstubbs I forgot about this one, I checked this before in the past there were vulnerable instances but I forgot to continue reporting and submitting the vulnerabilities, I'll work on this week.

Answer 3 · 2024-05-24T06:41:09.000Z

alright thanks

Answer 4 · 2024-06-28T17:11:43.000Z

Closing upon request from @am0o0

Answer 5 · 2024-06-28T17:12:38.000Z

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed