Miggo Logo
Miggo Vulnerability Database
CVE-2023-4138

CVE-2023-4138: RDiffWeb vulnerable to Allocation of Resources Without Limits or Throttling

4.2

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-4138
GHSA ID
GHSA-wwrg-2w5j-grvx
EPSS Score
0.18869%
CWE
CWE-770
Published
8/3/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
rdiffwebpip< 2.8.12.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing rate limiting on the email report feature. The patch adds @cherrypy.tools.ratelimit to the default method in PagePrefNotification, explicitly addressing email flooding. The commit message and CWE-770 context confirm this was an unthrottled resource allocation vector. The function's exposure as a POST handler without restrictions matches the vulnerability pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*llo**tion o* R*sour**s Wit*out Limits or T*rottlin* in *it*u* r*pository ikus***/r*i**w** prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom missin* r*t* limitin* on t** *m*il r*port ***tur*. T** p*t** ***s @***rrypy.tools.r*t*limit to t** ****ult m*t*o* in P***Pr**Noti*i**tion, *xpli*itly ***r*ssin* *m*il *loo*in*. T** *ommit m*ss*** *n* *W*-*** *ont*xt *on*i