Miggo Logo

CVE-2022-3272: rdiffweb's unlimited length email field can lead to DoS

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.24358%
CWE
-
Published
9/27/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip>= 0, < 2.4.82.4.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing length validation on email fields in form handlers. The patches explicitly added validators.length(max=256) to these email fields (in page_admin.py and pref_general.py), and the CVE description directly implicates email-related operations (signup, login, email changes). The added test cases (e.g., test_change_email_with_too_long) confirm these were the vulnerable entry points. While username and root directory fields were also patched, CVE-2022-3272 specifically references the email field as the DoS vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r*i**w** prior to *.*.* *o*s not v*li**t* *m*il l*n*t*, *llowin* us*rs to ins*rt *n *m*il lon**r t**n *** ***r**t*rs. I* * us*r si*ns up wit* *n *m*il wit* * l*n*t* o* * million or mor* ***r**t*rs *n* lo*s in, wit**r*ws, or ***n**s t**ir *m*il, t** s

Reasoning

T** vuln*r**ility st*ms *rom missin* l*n*t* v*li**tion on *m*il *i*l*s in *orm **n*l*rs. T** p*t***s *xpli*itly ***** `v*li**tors.l*n*t*(m*x=***)` to t**s* *m*il *i*l*s (in p***_**min.py *n* pr**_**n*r*l.py), *n* t** *V* **s*ription *ir**tly impli**t