GHSA-MJ24-GPW7-23M9
Vulnerability from github – Published: 2023-10-10 18:28 – Updated: 2023-10-13 20:28
VLAI?
Summary
Denial of service vulnerability on creating a Launch with too many recursively nested elements in reportportal
Details
Impact
ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable "ltree" field type indexing limit (path length>=120 approximately, recursive nesting of the nested steps).
REINDEX INDEX path_gist_idx and path_idx aren't helped.
Patches
The problem was fixed in service-api module of version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited.
Workarounds
After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal is working properly.
Severity ?
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.epam.reportportal:service-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-25822"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-10T18:28:11Z",
"nvd_published_at": "2023-10-09T14:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\nReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable \"ltree\" field type indexing limit (path length\u003e=120 approximately, recursive nesting of the nested steps). \n\nREINDEX INDEX path_gist_idx and path_idx aren\u0027t helped. \n\n### Patches\nThe problem was fixed in `service-api` module of version `5.10.0` (product release [23.2](https://reportportal.io/docs/releases/Version23.2/)), where the maximum number of nested elements were programmatically limited.\n\n### Workarounds\nAfter deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal is working properly.",
"id": "GHSA-mj24-gpw7-23m9",
"modified": "2023-10-13T20:28:09Z",
"published": "2023-10-10T18:28:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25822"
},
{
"type": "PACKAGE",
"url": "https://github.com/reportportal/reportportal"
},
{
"type": "WEB",
"url": "https://github.com/reportportal/reportportal/releases/tag/v23.2"
},
{
"type": "WEB",
"url": "https://reportportal.io/docs/releases/Version23.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of service vulnerability on creating a Launch with too many recursively nested elements in reportportal"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…