Details
-
Bug
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
5.2.1
-
None
-
None
Description
Looking further into the code focusing on the action and type query strings.
We can see that the filter variable is getting its value from the requestsParameters .
once the Filter parameter is being populated, an If loop checking whether Scope and Type are not Null and next
the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is the action query string).
Next the values of logRetrievalScope gets split by , and entering the the if loop.
In the block where ranges of actions are processed ( if (s.contains("-")) { ... } ), an attacker could potentially
send a specially crafted request with a massive range, such as "1-1000000". This would create a for loop
iterating and adding that many actions to the actionSet , consuming CPU and memory resources.
Though there is a subsequent check against maxNumActionsForLog , this check only happens after all the iterations,
allowing an attacker to consume resources before this check is made -
