Uploaded image for project: 'JITL - JobScheduler Integrated Template Library'
  1. JITL - JobScheduler Integrated Template Library
  2. JITL-590

Denial of Service (DOS) Vulnerability allows to exhaust resources when calculating the daily plan (CVE-2020-6855)

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Major
    • Resolution: Fixed
    • 1.11, 1.13.2
    • 1.12.12, 1.13.3
    • None
    • CVE-2020-6855

    Description

      Vulnerability

      • A DOS vulnerability has been identified, see see https://en.wikipedia.org/wiki/Denial-of-service_attack
      • An attacker with the privilege to modify or to start a job or order can parameterize jobs to calculate the daily plan for a large number of future days. A similar operation is available from the REST API. This will result in the JOC Cockpit becoming unavailable. By default the daily plan is calculated 31 days ahead.
      • Severity Level: MEDIUM
        • In order to take advantage of the vulnerability, you must have a valid account in the application that allows you to perform a specific action. The attacker must therefore be the holder of account credentials with privileges to modify or to start jobs or orders.

      Mitigation

      • The classes calculating the daily plan limit any parameterization exceeding 2000 days.

      Attachments

        Activity

          People

            ur Uwe Risse
            oh Oliver Haufe
            Oliver Haufe Oliver Haufe
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: