Description
A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderParser. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.56.0 is able to resolve this issue. The identifier of the patch is e8f1e5131535b8fd80a7b1b3085d676295fdcd41. Upgrading the affected component is recommended.
Published: 2026-03-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A malformed ZIP file read by the SonarQubeParser or MSDefenderParser parser module can cause an out‑of‑memory condition, leading to a denial of service. The flaw is a result of unchecked input size and missing error handling, consistent with CWE‑1284 and CWE‑404. An attacker can exploit the vulnerability remotely by delivering a crafted ZIP archive, potentially exhausting system resources and interrupting the DefectDojo service.

Affected Systems

The vulnerability exists in OWASP DefectDojo versions up to and including 2.55.4. It is present in the SonarQubeParser and MSDefenderParser components. The issue has been resolved in version 2.56.0. Administrators should review their installed DefectDojo release and upgrade if the affected components are deployed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, yet the presence of a public exploit means that exposed installations could be targeted. Attackers can trigger the denial of service remotely by uploading a specially crafted ZIP archive to the vulnerable parser endpoint; no authentication is required for the attack vector to succeed, meaning any accessible instance is at risk.

Generated by OpenCVE AI on April 16, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DefectDojo to version 2.56.0 or later to apply the patch identified by e8f1e5131535b8fd80a7b1b3085d676295fdcd41.
  • Restrict the upload interface for SonarQubeParser/MSDefenderParser to trusted users or networks and disable the parsers if they are not needed in the deployment.
  • Implement a pre‑validation step that limits the size of ZIP files accepted by the parser and rejects excessively large archives with a clear error message.

Generated by OpenCVE AI on April 16, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
CPEs cpe:2.3:a:owasp:defectdojo:*:*:*:*:*:*:*:*

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Owasp
Owasp defectdojo
Vendors & Products Owasp
Owasp defectdojo

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in OWASP DefectDojo up to 2.55.4. This vulnerability affects the function input_zip.read of the file parser.py of the component SonarQubeParser/MSDefenderParser. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.56.0 is able to resolve this issue. The identifier of the patch is e8f1e5131535b8fd80a7b1b3085d676295fdcd41. Upgrading the affected component is recommended.
Title OWASP DefectDojo SonarQubeParser/MSDefenderParser parser.py input_zip.read denial of service
Weaknesses CWE-404
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Owasp Defectdojo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-09T17:25:37.675Z

Reserved: 2026-03-08T17:23:16.744Z

Link: CVE-2026-3816

cve-icon Vulnrichment

Updated: 2026-03-09T17:25:20.115Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T11:16:06.450

Modified: 2026-03-10T19:55:40.700

Link: CVE-2026-3816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:30:16Z

Weaknesses