
PEACH
Un framework di isolamento del tenant
adawolfa/isdoc reads ISDOC invoices from ISDOCX (ZIP) archives and from PDF files with embedded ISDOC documents and supplements. Affected versions inflate ZIP entries and read embedded files without validating their uncompressed size, so a small crafted file can amplify into gigabytes:
getFromName() inflates the ISDOC document and binary supplements with no size cap.saveTo() disk-fill — the supplement copy loop writes inflated bytes to disk with no running byte budget, so a bomb can exhaust disk even if the central-directory size is under-reported.Length is enormous is read and digested with no upper bound.
Exploitation requires the application to parse an attacker-supplied .isdocx or .pdf (the typical use is generating files or parsing files from trusted vendors, so a user must be induced to process a malicious file). When that happens the process can be driven to exhaust memory or disk, causing denial of service. There is no confidentiality or integrity impact — availability only.Fixed in 1.4.3, 1.5.1, 1.6.1 and 2.0.0. The readers now:
statName()) and reject entries over a cap before inflating — 256 KB (DocumentSizeLimit) for the ISDOC document, 32 MB (SizeLimit) for supplements;saveTo() and unlink the partial file on overflow;Length exceeds 256 MB before reading or digesting them.
New exceptions ReaderException::zipEntryTooLarge(), SupplementException::supplementTooLarge() and ReaderException::pdfSupplementTooLarge() surface the rejection.Versions before 1.4.0 (the 1.0–1.3 lines) are also affected and will not receive a fix, because they target end-of-life PHP. Users on those lines should upgrade to a maintained release — 1.4.3, 1.5.1, 1.6.1, or 2.0.0.
No code-level workaround exists in affected versions; upgrading is the fix. As mitigation, restrict parsing to trusted input, or enforce an external size / decompression limit (validate ZIP entry sizes, cap process memory) before handing files to the library.
Fonte: NVD
Valutazione gratuita delle vulnerabilità
Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.
Richiedi una demo personalizzata
"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."