Summary
Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (℀), or U+2105 (℅) which could lead the payload size to be tripled.
Impact
- An HTTP request payloaded tags value of a million time '℅', something like "℅℅℅℅℅℅℅℅℅℅℅℅℅℅℅℅℅℅℅℅....℅℅℅" would cause a denial of service in a Windows environment due to the costly use of Unicode normalization directly from a user controlled data with no size limitation.
- Impact is limited to Windows deployments only.
Affected versions
Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11.
References:
Summary
Remote user-controlled data
tagscan reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial of service with attacks such as One Million Unicode payload. This can get worse with the use of special Unicode characters like U+2100 (℀), or U+2105 (℅) which could lead the payload size to be tripled.Impact
Affected versions
Versions prior to 2.1.11 are affected by this vulnerability. The patch is included in 2.1.11.
References: