OWASP DefectDojo Denial-of-Service Vulnerability via Zip Bomb in Parsing Components

A denial-of-service vulnerability has been identified in OWASP DefectDojo versions through 2.55.4. The issue arises in the SonarQubeParser and MSDefenderParser components, specifically within the 'input_zip.read' function of 'parser.py'. This vulnerability allows for a zip bomb attack, where a small, compressed ZIP file is uploaded. Upon extraction, the file expands to a significantly larger size, consuming excessive server memory and causing an out-of-memory condition that crashes the application. The vulnerability can be exploited remotely by authenticated users with permission to upload findings.

Impact

Exploitation of this vulnerability leads to a crash of the application process, causing a denial-of-service condition where the server becomes unresponsive. In environments with limited memory, this can result in the process being killed immediately. Even on servers with sufficient memory, the vulnerability can degrade performance, causing instability for other users.

Reproduction

The vulnerability can be reproduced by uploading a crafted ZIP file, known as a zip bomb, to the DefectDojo application via the 'Import Scan Results' feature. This can be done by selecting either the 'SonarQube Scan' or 'MSDefender Parser' options. Once the ZIP file is uploaded, the server will attempt to process its contents, leading to a rapid increase in memory usage and potentially causing the application to crash.

Remediation

Users are advised to upgrade to DefectDojo version 2.56.0, where this vulnerability has been addressed. The patch is available on the DefectDojo GitHub repository.