CVE-2022-25304

EUVD-2022-6584
All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
snykCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
asyncua_projectasyncua
*
opcua_projectopcua
*
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-opcua
bullseye
vulnerable
buster
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-opcua
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/FreeOpcUa/python-opcua/issues/1466
https://security.snyk.io/vuln/SNYK-PYTHON-ASYNCUA-2988731
https://security.snyk.io/vuln/SNYK-PYTHON-OPCUA-2988730
https://github.com/FreeOpcUa/python-opcua/issues/1466
https://security.snyk.io/vuln/SNYK-PYTHON-ASYNCUA-2988731
https://security.snyk.io/vuln/SNYK-PYTHON-OPCUA-2988730