CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID.
GET http://localhost:8055/utils/random/string
GET http://localhost:8055/utils/random/string?length=foo
GET http://localhost:8055/utils/random/string
will return an empty string instead of a random stringThis counts as an unauthenticated denial of service attack vector so this impacts all unpatched instances reachable over the internet.