[ https://issues.apache.org/jira/browse/OOZIE-3719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kinga Marton reassigned OOZIE-3719: ----------------------------------- Assignee: Sanjay Kumar Sahu > Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege > Users Disrupting Access for Intended Users > ---------------------------------------------------------------------------------------------------------------------- > > Key: OOZIE-3719 > URL: https://issues.apache.org/jira/browse/OOZIE-3719 > Project: Oozie > Issue Type: Bug > Components: core > Affects Versions: 5.2.1 > Reporter: Sanjay Kumar Sahu > Assignee: Sanjay Kumar Sahu > Priority: Major > Attachments: image-2023-09-15-02-47-52-819.png, > image-2023-09-15-02-49-14-531.png, image-2023-09-15-02-52-09-320.png > > > !image-2023-09-15-02-47-52-819.png! > > Looking further into the code focusing on the action and type query strings. > We can see that the filter variable is getting its value from the > requestsParameters . > once the Filter parameter is being populated, an If loop checking whether > Scope and Type are not Null and next > the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is > the action query string). > > Next the values of logRetrievalScope gets split by , and entering the the if > loop. > In the block where ranges of actions are processed ( if (s.contains("-")) \{ > ... } ), an attacker could potentially > send a specially crafted request with a massive range, such as "1-1000000". > This would create a for loop > iterating and adding that many actions to the actionSet , consuming CPU and > memory resources. > Though there is a subsequent check against maxNumActionsForLog , this check > only happens after all the iterations, > allowing an attacker to consume resources before this check is made - > > !image-2023-09-15-02-52-09-320.png! > > -- This message was sent by Atlassian Jira (v8.20.10#820010)