CVE-2022-41404
Denial of Service (DoS) vulnerability in ini4j (Maven)
What is CVE-2022-41404 About?
An issue exists in the `fetch()` method within the `BasicProfile` class of `org.ini4j` before v0.5.4, allowing attackers to cause a Denial of Service (DoS). This vulnerability can lead to service unavailability. The exact vectors for exploitation are unspecified, but usually involve crafted input.
Affected Software
Technical Details
The Denial of Service (DoS) vulnerability in org.ini4j versions prior to v0.5.4 resides specifically within the fetch() method of the BasicProfile class. While the exact attack vectors are unspecified, such DoS vulnerabilities typically arise from resource exhaustion, infinite loops, or unhandled exceptions when processing malformed or excessively large input. An attacker would likely provide specially crafted input to a function that eventually calls the fetch() method within BasicProfile. This crafted input might cause the method to consume an exorbitant amount of CPU, memory, or other system resources, leading to the application becoming unresponsive or crashing entirely. This directly impacts the availability of the service that uses org.ini4j for configuration parsing.
What is the Impact of CVE-2022-41404?
Successful exploitation may allow attackers to cause a denial-of-service, leading to the application becoming unresponsive or crashing, thereby impacting resource availability.
What is the Exploitability of CVE-2022-41404?
Exploitation of this Denial of Service vulnerability is of unknown complexity, as the specific vectors are not detailed. However, DoS vulnerabilities typically range from low to moderate complexity, often involving crafted input. Authentication requirements are unknown but could be low if ini4j processes unauthenticated user input. Privilege requirements are low, as the vulnerability affects the application's stability. Exploitation could be local or remote, depending on where the fetch() method's input originates. No special conditions are elaborated. The likelihood of exploitation depends on the exposed surface area where org.ini4j input can be influenced by an attacker.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41404?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2022/CVE-2022-41404
- https://nvd.nist.gov/vuln/detail/CVE-2022-41404
- https://sourceforge.net/p/ini4j/bugs/56/
- https://lists.debian.org/debian-lts-announce/2022/11/msg00037.html
- https://sourceforge.net/p/ini4j/bugs/56
- https://lists.debian.org/debian-lts-announce/2022/11/msg00037.html
- https://sourceforge.net/projects/ini4j
- https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2022/CVE-2022-41404
- https://osv.dev/vulnerability/GHSA-jr6h-r7vg-f9mc
What are Similar Vulnerabilities to CVE-2022-41404?
Similar Vulnerabilities: CVE-2020-8902 , CVE-2021-20300 , CVE-2022-25852 , CVE-2022-23539 , CVE-2023-28155
