CVE-2022-25761

Denial of Service (DoS)

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The package open62541/open62541 before 1.2.5, from 1.3-rc1 and before 1.3.1 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.

El paquete open62541/open62541 versiones anteriores a 1.2.5, a partir de la 1.3-rc1 y anteriores a 1.3.1, son vulnerables a una Denegación de Servicio (DoS) debido a una falta de limitación del número de chunks recibidos - por sesión única o en total para todas las sesiones concurrentes. Un atacante puede explotar esta vulnerabilidad mediante el envío de un número ilimitado de chunks enormes (por ejemplo, 2GB cada uno) sin enviar el chunk de cierre Final.

*Credits: Vera Mens, Uri Katz, Sharon Brizinov of Team82 (Claroty Research)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-24 CVE Reserved
2022-08-23 CVE Published
2024-04-13 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (6)

URL	Tag	Source
https://github.com/open62541/open62541/releases/tag/v1.2.5	Release Notes
https://github.com/open62541/open62541/releases/tag/v1.3.1	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/open62541/open62541/commit/b79db1ac78146fc06b0b8435773d3967de2d659c	2023-11-07
https://github.com/open62541/open62541/pull/5173	2023-11-07
https://security.snyk.io/vuln/SNYK-UNMANAGED-OPEN62541OPEN62541-2988719	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JNUV4FDVDBQHCPMOOEVKLMQK5SLKPK2L	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Open62541 Search vendor "Open62541"		Open62541 Search vendor "Open62541" for product "Open62541"				< 1.2.5 Search vendor "Open62541" for product "Open62541" and version " < 1.2.5"		-		Affected
Open62541 Search vendor "Open62541"		Open62541 Search vendor "Open62541" for product "Open62541"				1.3 Search vendor "Open62541" for product "Open62541" and version "1.3"		rc1		Affected
Open62541 Search vendor "Open62541"		Open62541 Search vendor "Open62541" for product "Open62541"				1.3 Search vendor "Open62541" for product "Open62541" and version "1.3"		rc2		Affected
Open62541 Search vendor "Open62541"		Open62541 Search vendor "Open62541" for product "Open62541"				1.3 Search vendor "Open62541" for product "Open62541" and version "1.3"		rc2-ef		Affected
Open62541 Search vendor "Open62541"		Open62541 Search vendor "Open62541" for product "Open62541"				1.3 Search vendor "Open62541" for product "Open62541" and version "1.3"		rc2-ef2		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				37 Search vendor "Fedoraproject" for product "Fedora" and version "37"		-		Affected