OliveTin PasswordHash API Unauthenticated Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in OliveTin versions prior to 3000.10.2. The issue arises in the PasswordHash API endpoint, which allows unauthenticated users to send concurrent password hashing requests. This leads to excessive memory allocation, exhausting available container memory and causing service degradation or a complete denial-of-service. The vulnerability exists because the endpoint performs resource-intensive hashing operations without authentication, request throttling, or resource limits.

Impact

Exploitation of this vulnerability allows for unauthorized memory exhaustion, causing the service to crash and disrupt availability. In orchestrated environments, such as those using Docker, this can lead to the container being terminated.

Reproduction

The vulnerability can be reproduced by sending 50 concurrent requests to the PasswordHash API endpoint. Each request should include a JSON body with a password field. This can be done using a bash script that sends the requests in parallel and then checks the container's memory usage, which will show a significant increase due to the exploited vulnerability.

Remediation

Users can update to OliveTin version 3000.10.2 or later, where this vulnerability has been patched.