CVE-2023-25822 - OpenCVE

ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the `com.epam.reportportal:service-api` module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable `ltree` field type indexing limit (path length>=120, approximately recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. The problem was fixed in `com.epam.reportportal:service-api` module version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited. A workaround is available. After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal works properly.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Reportportal	Reportportal Service-api

Configuration 1 [-]

OR	cpe:2.3:a:reportportal:reportportal::::::::
	cpe:2.3:a:reportportal:service-api::::::::

No data.

References

Link	Providers
https://github.com/reportportal/reportportal/releases/tag/v23.2
https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9
https://reportportal.io/docs/releases/Version23.2/

History

Thu, 19 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-09T13:13:53.391Z

Updated: 2024-09-19T13:57:44.174Z

Reserved: 2023-02-15T16:34:48.774Z

Link: CVE-2023-25822

Vulnrichment

Updated: 2024-08-02T11:32:12.588Z

NVD

Status : Analyzed

Published: 2023-10-09T14:15:10.547

Modified: 2023-10-13T15:01:57.210

Link: CVE-2023-25822

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25822", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-15T16:34:48.774Z", "datePublished": "2023-10-09T13:13:53.391Z", "dateUpdated": "2024-09-19T13:57:44.174Z"}, "containers": {"cna": {"title": "ReportPortal DoS vulnerability on creating a Launch with too many recursively nested elements", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9"}, {"name": "https://github.com/reportportal/reportportal/releases/tag/v23.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/reportportal/reportportal/releases/tag/v23.2"}, {"name": "https://reportportal.io/docs/releases/Version23.2/", "tags": ["x_refsource_MISC"], "url": "https://reportportal.io/docs/releases/Version23.2/"}], "affected": [{"vendor": "reportportal", "product": "reportportal", "versions": [{"version": "< 5.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-09T13:13:53.391Z"}, "descriptions": [{"lang": "en", "value": "ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the `com.epam.reportportal:service-api` module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable `ltree` field type indexing limit (path length>=120, approximately recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. The problem was fixed in `com.epam.reportportal:service-api` module version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited. A workaround is available. After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal works properly."}], "source": {"advisory": "GHSA-mj24-gpw7-23m9", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:32:12.588Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9"}, {"name": "https://github.com/reportportal/reportportal/releases/tag/v23.2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/reportportal/reportportal/releases/tag/v23.2"}, {"name": "https://reportportal.io/docs/releases/Version23.2/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://reportportal.io/docs/releases/Version23.2/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T13:15:21.478701Z", "id": "CVE-2023-25822", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:57:44.174Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9", "name": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/reportportal/reportportal/releases/tag/v23.2", "name": "https://github.com/reportportal/reportportal/releases/tag/v23.2", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://reportportal.io/docs/releases/Version23.2/", "name": "https://reportportal.io/docs/releases/Version23.2/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:32:12.588Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-25822", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T13:15:21.478701Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:57:39.810Z"}}], "cna": {"title": "ReportPortal DoS vulnerability on creating a Launch with too many recursively nested elements", "source": {"advisory": "GHSA-mj24-gpw7-23m9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "reportportal", "product": "reportportal", "versions": [{"status": "affected", "version": "< 5.10.0"}]}], "references": [{"url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9", "name": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/reportportal/reportportal/releases/tag/v23.2", "name": "https://github.com/reportportal/reportportal/releases/tag/v23.2", "tags": ["x_refsource_MISC"]}, {"url": "https://reportportal.io/docs/releases/Version23.2/", "name": "https://reportportal.io/docs/releases/Version23.2/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the `com.epam.reportportal:service-api` module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable `ltree` field type indexing limit (path length>=120, approximately recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. The problem was fixed in `com.epam.reportportal:service-api` module version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited. A workaround is available. After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal works properly."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-09T13:13:53.391Z"}}}, "cveMetadata": {"cveId": "CVE-2023-25822", "state": "PUBLISHED", "dateUpdated": "2024-09-19T13:57:44.174Z", "dateReserved": "2023-02-15T16:34:48.774Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-09T13:13:53.391Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:reportportal:reportportal:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA457CC7-2162-45F4-9242-627E4834CB40", "versionEndExcluding": "23.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:reportportal:service-api:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2404BAD-E6F4-4CC7-BCD6-4F9FB004CA68", "versionEndExcluding": "5.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the `com.epam.reportportal:service-api` module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable `ltree` field type indexing limit (path length>=120, approximately recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. The problem was fixed in `com.epam.reportportal:service-api` module version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited. A workaround is available. After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal works properly."}, {"lang": "es", "value": "ReportPortal es una plataforma de automatizaci\u00f3n de pruebas impulsada por IA. Antes de la versi\u00f3n 5.10.0 del m\u00f3dulo `com.epam.reportportal:service-api`, correspondiente a la versi\u00f3n 23.2 de ReportPortal, la base de datos de ReportPortal se vuelve inestable y los informes se detienen casi por completo, excepto en peque\u00f1os inicios con aproximadamente 1 prueba interna cuando se ejecuta test_item. El campo de ruta ha excedido el l\u00edmite de indexaci\u00f3n de tipo de campo `ltree` permitido (path length>=120, anidamiento aproximadamente recursivo de los pasos anidados). REINDEX INDEX path_gist_idx y path_idx no reciben ayuda. El problema se solucion\u00f3 en la versi\u00f3n 5.10.0 del m\u00f3dulo `com.epam.reportportal:service-api` (versi\u00f3n 23.2 del producto), donde el n\u00famero m\u00e1ximo de elementos anidados estaba limitado mediante programaci\u00f3n. Hay un workaround disponible. Despu\u00e9s de eliminar los datos con rutas largas y reindexar ambos \u00edndices (path_gist_idx y path_idx), la base de datos se estabiliza y ReportPortal funciona correctamente."}], "id": "CVE-2023-25822", "lastModified": "2023-10-13T15:01:57.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-09T14:15:10.547", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/reportportal/reportportal/releases/tag/v23.2"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/reportportal/reportportal/security/advisories/GHSA-mj24-gpw7-23m9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://reportportal.io/docs/releases/Version23.2/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}