Sanjay Kumar Sahu created OOZIE-3719: ----------------------------------------
Summary: Apache Oozie Regex Denial of Service (ReDoS) Vulnerability by Low Privilege Users Disrupting Access for Intended Users Key: OOZIE-3719 URL: https://issues.apache.org/jira/browse/OOZIE-3719 Project: Oozie Issue Type: Bug Components: core Affects Versions: 5.2.1 Reporter: Sanjay Kumar Sahu Attachments: image-2023-09-15-02-47-52-819.png, image-2023-09-15-02-49-14-531.png !image-2023-09-15-02-47-52-819.png! Looking further into the code focusing on the action and type query strings. We can see that the filter variable is getting its value from the requestsParameters . once the Filter parameter is being populated, an If loop checking whether Scope and Type are not Null and next the code checks the logRetrievalType is equal to the JOB_LOG_ACTION (which is the action query string). Next the values of logRetrievalScope gets split by , and entering the the if loop. In the block where ranges of actions are processed ( if (s.contains("-")) \{ ... } ), an attacker could potentially send a specially crafted request with a massive range, such as "1-1000000". This would create a for loop iterating and adding that many actions to the actionSet , consuming CPU and memory resources. Though there is a subsequent check against maxNumActionsForLog , this check only happens after all the iterations, allowing an attacker to consume resources before this check is made - !image-2023-09-15-02-50-26-331.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)