CVE-2023-25822 MEDIUM

CVE-2023-25822: ReportPortal DoS vulnerability on creating a Launch with too many recursively nested elements

Vendor Reportportal
Product reportportal
Weakness CWE-770 · Uncontrolled resource consumption
Published October 9, 2023
Last update September 19, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

ReportPortal is an AI-powered test automation platform. Prior to version 5.10.0 of the `com.epam.reportportal:service-api` module, corresponding to ReportPortal version 23.2, the ReportPortal database becomes unstable and reporting almost fully stops except for small launches with approximately 1 test inside when the test_item.path field is exceeded the allowable `ltree` field type indexing limit (path length>=120, approximately recursive nesting of the nested steps). REINDEX INDEX path_gist_idx and path_idx aren't helped. The problem was fixed in `com.epam.reportportal:service-api` module version 5.10.0 (product release 23.2), where the maximum number of nested elements were programmatically limited. A workaround is available. After deletion of the data with long paths, and reindexing both indexes (path_gist_idx and path_idx), the database becomes stable and ReportPortal works properly.

Key dates

02Disclosure timeline

October 9, 2023 CVE published
September 19, 2024 Record updated